Health Information Exchange Featured Article

April 11, 2012

Utah Department of Health Revises Medical Data Breach Numbers Upward

It all came down to this: a technician’s weak password.

What are we talking about? The health records of almost a million people in Utah on Medicaid and in a health care program for low-income children are now in the hands of hackers.

On March 30, 24,000 files were downloaded to computers in Eastern Europe, many files containing names, addresses, even Social Security numbers and other confidential personal information, according to a story by Nicole Perlroth.

She writes that Utah’s Department of Health (DOH) has had to update the number of victims three times; initially reporting that only 24,000 people were affected, then expanding it Monday evening to 780,000. Almost 300,000 of those unfortunate patients had their Social Security numbers stolen, according to the revised statement from the DOH, Perlroth reports.

“Why do we continue to see these large aggregate databases?” Eddie Schwartz, chief information security officer at the computer security firm RSA, told Perlroth in an interview on Tuesday. “Why should hackers be able to steal 10 million credit card numbers or 700,000 personal records at once? We need to think about distributing that information so that when networks do get penetrated, we’re not looking an all-or-nothing situation.”

Perlroth reveals that officials at Utah’s DOH had recently moved claim records to a new server just for that reason. But in spite of several layers of security, Perlroth writes, the DOH said hackers were able to bypass the system because of the weak password on the server. The server has since been shut down, with new security measures put in place and inspections of other servers across the state immediately begun.

Sadly, it’s becoming clear that banks are not the only ones being hacked these days. That’s because health information like what was hacked in Utah “could fetch a higher price on the black market than a single credit card record,” Perlroth writes.

This hacking of medical records was only one of many this year and last. And it’s costing us big bucks. Experts have found that medical data breaches cost the U.S., on average, over $6 billion a year. Guess where that money comes from? 

Utah’s DOH said it was working with the F.B.I. to track down the hackers, and offering free credit monitoring to the victims, small comfort when your Social Security number, not to mention the fact that you’re on Zoloft, is circulating around the world. 

Edited by Jennifer Russell