Hackers believed to be operating out of Eastern Europe gained access to around 24,000 Medicaid claims housed on a Utah Technology Services Department server, according to the state's health department.
The Utah Health Department stated in a news release
that the state's tech services department, which operates the server containing the Medicaid claims, gave notice of the breach on Monday evening. The breach itself appears to have occurred Friday, according to the release.
Accessed records—based on the types of data stored on similar servers—may have included recipients' names, addresses, dates of birth, Social Security numbers and procedure codes as well as their physicians' names, addresses and tax and national provider identification numbers.
The Utah tech services department had recently moved the claims records to a new server, and hackers apparently "were able to circumvent the server's multilayered security system," the health department's release said.
The health department will mail letters to affected Medicaid recipients, and those whose Social Security numbers were compromised will receive free credit monitoring services, according to the release.
Stephanie Weiss, a public information officer for the state's technology services department, said the information on the hacked server was not encrypted but that the state's encryption policy could change in the wake of the breach.
"Yes, definitely, we are looking at every option," Weiss said.
Last week, Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights at HHS, disclosed in a slide presentation to the 20th National HIPAA Summit that more than 50,000 breaches
have been reported to HHS since September 2009, when the American Recovery and Reinvestment Act of 2009 required providers, payers and other HIPAA-covered entities to do so.
Of the largest breaches—those involving more than 500 records, for which the Office for Civil Rights makes data publicly available—just 7% involve hacking, according to McAndrew's presentation.
There have been 410 of those publicly reported breaches, which exposed more than 19.2 million records, according to data posted on the regulator's website.
The vast majority of the HHS-reported breaches, however, exposed 500 or fewer records. To date, the Office for Civil Rights has denied multiple requests by Modern Healthcare under the Freedom of Information Act for copies of its records of those lesser breaches.