State of Utah Medicaid Breach Affects 800,000

The reports and details around the State of Utah Medicaid Breach are starting to come out. An article in the Salt Lake Tribune gave the following numbers:

* 280,000 social security numbers were expose to hackers
* 500,000 less sensitive information like names and birth dates was exposed

This is interesting since the initial data breach number was at 24,000 Utahns on public health insurance were at risk. 800,000 is quite a few more people. The Tribune article says it touches 1 in every 6 Utahns. Compared with other breaches, that’s huge.

I know people love to read reports about healthcare data breaches (see one of my most popular posts on HIPAA Privacy Violations and HIPAA Lawsuits). It’s kind of like the rubber neckers on the freeway when there’s an accident. We have to turn our head to see what happened.

Here’s another part of the article linked above that provides more details.

So far, there have been no reports of people using the information to obtain fraudulent credit cards and loans.

But due to the breach’s scope and potential for harm, the FBI is now investigating.

“Computer intrusions are one of our top priorities,” said Greg Bretzing, assistant special agent in charge of the FBI’s Salt Lake City office. He declined to comment on the investigation or confirm the suspicions of state technology officials who traced the hacker, or hackers, to Eastern Europe.

Unfortunately, we’re really short on details of what actually happened. Not all hacks are created equal. In many cases, a computer gets hacked by a bot with no thought of what information is actually on the server. These bots just scan the internet for vulnerabilities and go through any doors that people left open. Often it’s just about the conquest and not about the information on the actual machine. Unless they give us more details, it will be hard to really know if this was intentional or coincidental.

Although, in this breach, a whole lot of social security numbers are at risk and their is a market for those since our whole financial life revolves around that number. I’ve had a number of Twitter conversations about the market for breached healthcare data. I’m still not convinced there is much of a market for it. I could imagine a scenario where a HUGE amount of aggregate healthcare data has some real value and could be sold to someone. I just don’t see the same value of an individual health record like there is with an individual social security number. Although, I’ll never underestimate the creativity of humans.

The State of Utah Medicaid is offering the standard 1 year identity theft service to those affected. Seems like identity theft services might be the business of the future since every breach turns to them to cover what happened. They haven’t offered any healthcare data identity theft services since I’ve never seen such a service. Is that service not available because it’s not really a problem? I know healthcare identity theft is an issue, but I don’t think those issues stem from breaches. I’d be interested if someone has information that says otherwise.

I’ll also add my regular disclaimer. this healthcare data breach has NOTHING to do with an EHR breach. I’m sure we’ll have a major breach of EHR data at some point in the future, but as of now insurance data and lost devices seems to dominate the healthcare breaches that I’ve seen.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • This is terrible…and Utah is only offering a year of protection?? If the hackers actually use this data, it will probably be later than that. I’m with John about the marketability of healthcare data. Unless you are a high profile person, most of our individual PHI is probably near worthless. Thank God.

  • I’m guessing that folks on public health insurance by and large do not have the financial profiles that a buyer would want in a SSN. If these identities could qualify for large amounts of credit, they would not be on public assistance (lets hope anyway).

  • I was hacked, I don’t have medicaid or children, just normal ppo insurance, what kind of help will I have when my one year of credit checking set up through the state has expired? What do we do on day 366, just guess everything is OK again? Is there a class action suit?

Click here to post a comment