Last week, Utah officials first reported that the breach, which they say was the likely work of hackers in Eastern Europe, exposed about 24,000 records of Medicaid claims and that those claims may have included recipients' names, addresses, dates of birth, Social Security numbers and procedure codes as well as their physicians' names, addresses and tax and national provider identification numbers. Later that week, the exposure number jumped to 181,604, and then to nearly three quarters of a million this week. Such rolling embarrassments happen sometimes.
In March, Blue Cross Blue Shield of Tennessee agreed to pay a $1.5 million settlement after data on about 1 million of its members were breached when 57 storage drives were stolen from one of its offices in Chattanooga in the fall of 2009. In that event, initial reports pegged the records lost at 220,00, but that number spiraled upwards as the health plan spent millions of dollars hiring forensic auditors to determine the full extent of the data loss. In addition to the settlement with the government, the Blues plan reportedly paid out $7 million to various firms and individuals to clean up the mess.
Details about all 410 major breaches have been publicly posted on the “wall of shame” website kept by the civil rights office. Almost all of them have another thing in common. The data lost, hacked, or stolen was not encrypted. (I can't say all, because I recall at least one recent breach involved encrypted data on a laptop stolen in a home burglary in which the thief or thieves also took the encryption key left conveniently on a piece of paper beside the machine.)
According to security experts, encryption is not a panacea, but it is a good defensive tool.
A Utah official told me the state will be taking a look at adding encryption. Apparently, more than 400 lessons learned weren't enough before this latest breach in Utah occurred. Let's see how the industry reacts to this one.
Follow Joseph Conn on Twitter @MHJConn.