Common Questions Learn the details about the data breach and what personal information was affected.
Unfortunately, there were 280,000 people whose Social Security numbers (SSN) were stolen by the hackers. We deeply regret this and apologize for the breach. We're taking every action we can to provide a higher level of assistance to those affected by the data breach.
On March 10, 2012, computer hackers illegally gained access to a Utah Department of Technology Services (DTS) computer server that stores Medicaid and CHIP claims data.
The hackers began removing personal information from the server on March 30, but it wasn't until April 2 that DTS detected the breach and immediately shut down the server.
By that time, the Social Security numbers of 280,000 people, as well as less-sensitive personal information of another 500,000 people, had been stolen.
What Information Was Stored on the Server?
Information stored on the server may have included Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and medical billing codes.
Personal financial information, such as bank account numbers or credit card numbers, WAS NOT stored on this server and WAS NOT compromised.
Did It Only Affect Medicaid and CHIP Clients?
At first, it appeared that the stolen information belonged to Medicaid and CHIP clients only. However, DTS discovered that other people had been affected.
Healthcare providers often send Medicaid Eligibility Inquiries to the state to find out if certain patients are enrolled in Medicaid or CHIP. Even if the patients aren't enrolled in either program, their inquiry and some of their personal info is temporarily stored by the state.
In other words, even if you're not on Medicaid or CHIP, but you or your child visited a healthcare provider in Utah four months before the breach, there's a chance your info was stolen. To find out if it was, click here.
How Did the Breach Happen?
The hackers were able to bypass the security system, thanks to an error on the server at the password authentication level.
DTS has sophisticated processes in place to totally secure all of the data on state computer servers, but this particular server hadn't been configured the same way.