BreachExchange mailing list archives
Utah health department reports another data breach
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Thu, 17 Jan 2013 13:47:04 -0500
http://www.cachevalleydaily.com/news/state/article_c3dfb2b6-7e9d-5381-96fa-0cf552c5b7f7.html Personal information for Utah Medicaid recipients has once again been compromised after a USB memory stick containing the data was lost, the state Department of Health announced Wednesday. Data for about 6,000 recipients were lost by an employee of an outside contractor while traveling, the agency said in a statement. The security breach comes less than a year after the Department of Health announced hackers broke into a government server and stole the personal information of about 780,000 Medicaid recipients and participants in the Children's Health Insurance Program, including the Social Security numbers of about 280,000 of them. Utah's chief technology officer resigned in the wake of the spring 2012 theft. The Health Department on Wednesday said the most recent breach is limited to Medicaid recipient's names, Medicaid identification numbers, ages and recent prescription drug use. No Social Security numbers or financial information were included in the lost data, the department said. The contractor, Goold Health Systems, handles Medicaid pharmacy transactions for the Health Department. Department spokesman Tom Hudachko said the GHS employee, identified only as a woman from Denver, was having trouble with an Internet connection Thursday while trying to upload the data to a server. The employee saved the personal information to an unencrypted USB memory stick and left the Health Department with the device. The employee lost the stick sometime in the following days while traveling between Salt Lake City, Denver and Washington, D.C. GHS confirmed the information was lost Tuesday, Hudachko said, and the employee is no longer allowed to work with data for the Health Department. The employee violated both Health Department policy and the contract GHS had with the agency. Health Department Deputy Director and state Medicaid Director Michael Hales said that because the information did not include Social Security numbers or financial data, there's a minimal risk that the breach will lead to identity theft. The department has no reason to believe the data were targeted by anyone for "malicious purposes," Hales said in a statement. The Health Department is in process of sending out letters to the individuals whose information was lost and said it is taking steps to protect them from potential fraud. The agency's executive director, Dr. David Patton, said he's asked for a legal review of the contract with GHS and intends to pursue "whatever financial or contractual remedies are available in order to ensure GHS is held accountable for this serious mistake," he said. Hudachko said the breach is frustrating for the department "because we've essentially spent the last nine months responding to the breach that we had last year." He said that in the past nine months, the department has tried to figure out where to strengthen its system, enacted more than 100 new policies and trained almost 400 employees in data protection. "Unfortunately, despite all those efforts that we've undertaken, it just takes one individual who steps outside of policy and disregard of protocol, and you've got an incident like this that happens," he said. Though it was a contractor that lost the information, Hudachko said the department will still take full responsibility. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- Utah health department reports another data breach Erica Absetz (Jan 17)