A weak password is to blame for the hacking of a Utah Department of Technology Services server containing patients' Social Security numbers and data on children's health plans.
On March 30 a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services (DTS) server containing Social Security numbers for the Medicaid claims.
DTS provides technology services to Utah state agencies.
The breach involved both Medicaid patients as well as recipients of Children's Health Insurance Plan, which provides insurance coverage for children without other health insurance and who meet income guidelines.
The Utah Department of Health initially believed that 24,000 claims had been accessed, but that number is now about 780,000, according to UDOH.
The department then reported that 280,000 people had their Social Security numbers stolen and about 500,000 others had less-sensitive personal data, such as name, date of birth and address, compromised.
Outside firms hired by the UDOH and the Utah Department of Administrative Services (DAS) will conduct a forensic analysis to identify victims.
"Individuals provide sensitive personal information to the government in a relationship of trust," Herbert said in a statement.
"It is tragic that not only data was breached, but now individual trust is also compromised."
These servers also typically store names of physicians, national provider identifiers, addresses, tax identification numbers and procedure codes for billing, according to UDOH.
DTS reports that its servers are multilayered with security controls for perimeter, network, application, data security and identity management.
"All servers in the state are required to have secure passwords."
Despite these requirements, passwords in general are rarely changed for "privileged" accounts, according to Adam Bosnian, executive vice president, Americas and corporate development at Cyber-Ark Software, an identity-management vendor.
"Despite controlling access to an organization's sensitive data assets, these shared accounts simply do not have the same security standards applied to them," said Bosnian.
"Because these types of privileged accounts can act as a gateway to an organization's most sensitive data and information assets, they've emerged as the primary target for hackers," said Bosnian.
"DTS is doing everything they can to restore security," Governor Herbert said.
Automated Summary from: eWeek