State officials in Utah now say a computer breach 10 days ago is far worse than they originally thought. Hackers made off with 280,000 Social Security numbers and "approximately 500,000 other victims had less-sensitive information stolen," according to the Utah Department of Health (UDOH).
Officials originally said that about 25,000 state Medicaid records were accessed on March 30 when unidentified hackers believed to be from Eastern Europe exploited a configuration error for a new state computer server. The error left the server without security protection.
But as the investigation continues, the number of potential victims mushrooms. As recently as Friday, UDOH said 25,000 Social Security numbers were compromised and 160,000 other people lost other personal information to the hackers.
UDOH says the FBI is investigating. The state health agency is also offering free credit monitoring for a year to those at greatest risk of identity theft.
The hacking victims are described as recipients of Medicaid, people who inquired about Medicaid eligibility and children receiving benefits under the state Children's Health Insurance Program (CHIP).
"The victims are likely to be people who have visited a health care provider in the past four months," UDOH says in a news release.
Identifying and warning some of the victims requires consultation with other government agencies because some of the stolen Social Security numbers were listed without names and addresses.
State officials also warn that "scammers may attempt" to victimize the hacker victims again by seeking identifying information in bogus phone calls and emails supposedly from state agencies responding to the breach.
The employee responsible for the computer error has been identified but that information has not been released.
Last week, the Salt Lake Tribune reported that state Medicaid director Michael Hales "emphasized there was no evidence of an inside job, as happened in 2010 when two Department of Workforce Services employees accessed confidential documents to create a list of 1,300 alleged illegal immigrants that was leaked to law enforcement and the news media."
"This is some external party maliciously attacking a server," Hales told the Tribune. "It just looks like processes broke down."