Utah Data Breach of 181,000 Records Blamed on Configuration Error

Nearly 200,000 people who receive benefits from the Medicaid and Child Health Insurance Plan in Utah have had their personal information–including Social Security numbers in some cases–compromised as part of an intrusion on the network at the Utah Department of Technology Services. The 181,000 estimated victims is nearly eight times higher than the 24,000 people that the department initially thought were affected by the attack. 

Nearly 200,000 people who receive benefits from the Medicaid and Child Health Insurance Plan in Utah have had their personal information–including Social Security numbers in some cases–compromised as part of an intrusion on the network at the Utah Department of Technology Services. The 181,000 estimated victims is nearly eight times higher than the 24,000 people that the department initially thought were affected by the attack. 

During the early stages of the investigation into the attack, the DTS thought that personal information belonging to 24,000 recipients had been stolen. However, the department later discovered that it was 24,000 files that had been taken, and said that each of those files contains data on many recipients, which resulted in the huge jump in the estimated number of people affected by the attack. 

“Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims.  However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files.  One single file can potentially contain claims information on hundreds of individuals,” the Utah Department of Health said in a statement.

Aside from the big jump in the number of compromised records during the investigation, the breach in Utah is remarkable for one other significant reason: the department revealed how the attack happened. In its statement the Department of Health said that the attackers were able to break into the Department of Technology Services machine by exploiting a configuration error in the authentication system on one of the servers. While the explanation didn’t mention the specific error or exactly how the attackers exploited it, mere fact that the department pointed to a particular mistake rather than some unnamed third party or APT-type attack is remarkable on its own. 

DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security.  In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure,” the department said in the statement.

DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”

Organizations that fall victim to data breaches typically are loathe to give up even a small morsel of information about the attack and where the breakdown in the defenses occurred. Such admissions are seen as a sign of weakness and also as attractive bait for regulators or angry customers who may want to go after the company in court. So the small amount of information that the Department of Technology Services and Department of Health made public in this case is unusual, even though it’s still relatively minimal. 

Utah DOH officials said that the department is planning to contact all of the victims by letter and will offer credit-monitoring services to victims whose SSNs were compromised. 

Suggested articles

Discussion

  • Lorraine Emerick on

    Cyber criminals are becoming more sophisticated as technology connects our lives as never before in history. From our smart phones and laptops to complex infrastructure systems, cyber criminals have more platforms and opportunities to strike.

    Truth is…traditional insurance policies weren’t designed to specifically address the complex privacy and data breaches that threaten client information and compromise networks – leaving many organizations and professionals unprotected against privacy lawsuits, loss of revenue, reputation and potentially loss of clients. Do you know if your vendors are properly insured? Are you asking for certificates of insurance as evidence of E&O as well as privacy and breach coverages?  It’s a whole new legal environment – visit to learn more or email a question Marshall & Sterling's Cyber Center.

     

  • Jay Foley on

     

    It is unfortunate that the UtahDepartment of Health had a data breach.  It is commendable in the manner in which it has been reported.  Errors in system configurations are a part of system construction.  This is why the people who maintain and build the systems continuesly test the system for flaws.  That a flaw was not discovered or over looked until a hacker exploited it is a painful lesson for those who maintain the system. Now is the time to fix the problem and find the hacker.  It is not the time to go head hunting for the person who didn’t find the flaw.

     

  • Anonymous on

     

    I have posted this already here before You guys should stop complaining because, one the health care we have now isn't as good as it was supposed to be. also the law has just been signed so give it some time. so if u want to say u have the right to choose tell that to ur congress men or state official. If you do not have insurance and need one You can find full medical coverage at the lowest price check search online for "Penny Health" If you have health insurance and do not care about cost just be happy about it and believe me you are not going to loose anything!

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.