The reports and details around the State of Utah Medicaid Breach are starting to come out. An article in the Salt Lake Tribune gave the following numbers:
* 280,000 social security numbers were expose to hackers
* 500,000 less sensitive information like names and birth dates was exposed
This is interesting since the initial data breach number was at 24,000 Utahns on public health insurance were at risk. 800,000 is quite a few more people. The Tribune article says it touches 1 in every 6 Utahns. Compared with other breaches, that’s huge.
I know people love to read reports about healthcare data breaches (see one of my most popular posts on HIPAA Privacy Violations and HIPAA Lawsuits). It’s kind of like the rubber neckers on the freeway when there’s an accident. We have to turn our head to see what happened.
Here’s another part of the article linked above that provides more details.
So far, there have been no reports of people using the information to obtain fraudulent credit cards and loans.
But due to the breach’s scope and potential for harm, the FBI is now investigating.
“Computer intrusions are one of our top priorities,” said Greg Bretzing, assistant special agent in charge of the FBI’s Salt Lake City office. He declined to comment on the investigation or confirm the suspicions of state technology officials who traced the hacker, or hackers, to Eastern Europe.
Unfortunately, we’re really short on details of what actually happened. Not all hacks are created equal. In many cases, a computer gets hacked by a bot with no thought of what information is actually on the server. These bots just scan the internet for vulnerabilities and go through any doors that people left open. Often it’s just about the conquest and not about the information on the actual machine. Unless they give us more details, it will be hard to really know if this was intentional or coincidental.
Although, in this breach, a whole lot of social security numbers are at risk and their is a market for those since our whole financial life revolves around that number. I’ve had a number of Twitter conversations about the market for breached healthcare data. I’m still not convinced there is much of a market for it. I could imagine a scenario where a HUGE amount of aggregate healthcare data has some real value and could be sold to someone. I just don’t see the same value of an individual health record like there is with an individual social security number. Although, I’ll never underestimate the creativity of humans.
The State of Utah Medicaid is offering the standard 1 year identity theft service to those affected. Seems like identity theft services might be the business of the future since every breach turns to them to cover what happened. They haven’t offered any healthcare data identity theft services since I’ve never seen such a service. Is that service not available because it’s not really a problem? I know healthcare identity theft is an issue, but I don’t think those issues stem from breaches. I’d be interested if someone has information that says otherwise.
I’ll also add my regular disclaimer. this healthcare data breach has NOTHING to do with an EHR breach. I’m sure we’ll have a major breach of EHR data at some point in the future, but as of now insurance data and lost devices seems to dominate the healthcare breaches that I’ve seen.