Utahns whose Social Security numbers were compromised last March when hackers broke into a poorly protected state server now have until Sept. 30 to register for free credit monitoring.
The Utah Department of Health extended the deadline hoping to reach a greater share of breach victims.
State officials have mailed letters, fielded questions on a 24-hour hotline and crisscrossed the state in an effort to alert the 780,000 Utahns whose personal information was put at risk. Of those, 255,000 had their Social Security numbers exposed —the group eligible for a year of credit monitoring and fraud insurance.
But to date, only 20 percent have taken the state up on its offer, said Utah’s Data Security Ombudsman Sheila Walsh-McDonald.
“It’s very important that as many people as possible take the opportunity to protect themselves by signing up for credit monitoring. It’s simple, it takes less than 10 minutes, and costs nothing to those whose Social Security numbers were breached,” she said.
The breach happened last March when hackers, purportedly based in Eastern Europe, broke into a Department of Technology Services server that had been mistakenly placed online with a factory password. The server contained the names, addresses and other personal information — in some cases, medical diagnoses — of Medicaid recipients, privately insured Utahns, retirees on Medicare and the uninsured.
About half of those with exposed Social Security numbers were on Medicaid; the other half had no history with the low-income health program.
The two groups have signed up for protections in equal numbers, said Walsh-McDonald. “I feel like I’m hearing from a very mixed population of families,” she said. “Parents with children on Medicaid who were affected are as being as proactive as those who have no connection to Medicaid. I’m just surprised how few people have signed up.”
Walsh-McDonald just wrapped up a statewide tour where about 260 breach victims were able to meet one-on-one with state officials.
Most voiced concern that a year’s worth of protection isn’t long enough, she said.
There are currently no plans to extend the length of credit monitoring, though the issue could surface at the Legislature this winter.
A lot depends on the results of two audits of the state’s servers and security protocols, Walsh-McDonald said.
Federal Health and Human Services officials are also investigating the breach and yet to issue findings or penalties. The FBI is handling the criminal investigation and could not be reached for an update.
Health officials, however, have no reason to believe that anyone’s information has been misused, said health department spokesman Tom Hudachko.
Those who aren’t sure if they were swept up in the breach can still call the state’s hotline at 1-855-238-3339. Information is also available in English and Spanish at http://health.utah.gov/databreach/.
O Call the Utah Department of Health’s 24-hour hotline at 1-855-238-3339 or visit the virtual Data Breach Solution center. > health.utah.gov/databreach