Nearly 200,000 people who receive benefits from the Medicaid and Child Health Insurance Plan in Utah have had their personal information–including Social Security numbers in some cases–compromised as part of an intrusion on the network at the Utah Department of Technology Services. The 181,000 estimated victims is nearly eight times higher than the 24,000 people that the department initially thought were affected by the attack.
During the early stages of the investigation into the attack, the DTS thought that personal information belonging to 24,000 recipients had been stolen. However, the department later discovered that it was 24,000 files that had been taken, and said that each of those files contains data on many recipients, which resulted in the huge jump in the estimated number of people affected by the attack.
“Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals,” the Utah Department of Health said in a statement.
Aside from the big jump in the number of compromised records during the investigation, the breach in Utah is remarkable for one other significant reason: the department revealed how the attack happened. In its statement the Department of Health said that the attackers were able to break into the Department of Technology Services machine by exploiting a configuration error in the authentication system on one of the servers. While the explanation didn’t mention the specific error or exactly how the attackers exploited it, mere fact that the department pointed to a particular mistake rather than some unnamed third party or APT-type attack is remarkable on its own.
“DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure,” the department said in the statement.
“DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”
Organizations that fall victim to data breaches typically are loathe to give up even a small morsel of information about the attack and where the breakdown in the defenses occurred. Such admissions are seen as a sign of weakness and also as attractive bait for regulators or angry customers who may want to go after the company in court. So the small amount of information that the Department of Technology Services and Department of Health made public in this case is unusual, even though it’s still relatively minimal.
Utah DOH officials said that the department is planning to contact all of the victims by letter and will offer credit-monitoring services to victims whose SSNs were compromised.