Report: Utah's health data breach was a costly mistake
Utah's 2012 health data breach a security slip that exposed the personal information of three-quarters of a million residents to hackers was a costly mistake.
The state has spent about $9 million on security audits, upgrades and credit monitoring for victims and that's just the beginning.
An estimated 122,000 victims will fall prey to identity theft, each spending an average of 20 hours and $770.49 resolving the fraud, predicts Javelin Strategy & Research. The total amount of fraud perpetrated, a cost largely borne by banks and retailers, could approach $406 million.
"Data security is everyone's problem," said Al Pascual, a security, risk and fraud analyst at Javelin.
The group singled out Utah's breach for analysis because it shows how much havoc can be wreaked by simple human error, said Pascual, noting it should serve as a wake up call to consumers.
Javelin's findings are based on a consumer survey used to produce an annual identity theft report, a task the firm inherited from the Federal Trade Commission (FTC).
"Increasingly we're seeing a correlation between [data] breaches and fraud. It's gotten to the point where if you were a breach victim, there's a 1 in 4 chance you'll be a victim of fraud," Pascual said. "The bad guys are getting better at using this information. They are not just dumpster diving or looking in your mailbox."
Data breaches happen with frightening frequency in the public and private sectors, said Pascual. But Utah's security lapse stands out for its size, because it involved health information and was "something that could easily have been avoided," he said. "There was also a good deal of information about the breach. Commercial enterprises tend to be less forthcoming when breaches occur."
In late March 2012, hackers broke into a Medicaid server that a technician had placed online without changing the factory password and downloaded the personal information of 780,000 Utahns. Some were on Medicaid, but also affected were the privately insured, uninsured and retirees on Medicare whose providers had sent their data to Medicaid in the hopes of billing the low-income program.
Most at risk are the 280,000 individuals whose Social Security numbers were exposed, said Pascual. A survey of the top 25 financial institutions in America found 80 percent use Social Security numbers to verify a customer's identity.
Get someone's number and pair it with other information, such as an account holder's name and birthdate, and you can raid a person's bank account, change online passwords or open up a new line of credit, he said. And once a Social Security number is lost, it's virtually impossible to replace.
"We've railed against its use for years," said Pascual.
He applauds state officials for "really going out of their way post-breach to protect people."
The effort has cost the state Department of Health $3.4 million:
• $467,000 to hire an ombudsman, staff a hotline, run ads and hold community meetings to notify victims.
• $1.9 million to provide two years of credit monitoring for those whose Social Security numbers were compromised.
• $741,000 on a legal consultant and forensic security audit.
• $300,000 to create an Office of Health Information and Data Security.
The Department of Technology Services spent $1.2 million on a security assessment of all state servers. And this year the Legislature appropriated $4.4 million for security upgrades, according to the agency's spokeswoman, Stephanie Weiss.
But none of this is any good to victims unless they protect themselves, including taking advantage of credit monitoring, said Pascual. To date, only 59,500 have signed up.
"People need to call their bank and say, 'My Social Security number was stolen. What can you do to protect me? Do you allow someone to call in with a Social Security number and change an account or withdraw money?' " said Pascual.
At least 10 breach victims have reported instances of fraud, health department records show.
Three individuals claim someone filed fraudulent tax returns under their names or their child's name. Some have been denied public aid due to their identities being stolen by someone who used it to gain employment.
A man from New Haven complained someone opened a $2,000 line of credit under his name, which he was able to remove from his credit report.
Another said a thief, using the last four digits of his Social Security number, was able to add cellphones to his AT&T contract and make an inquiry for a car loan.
One victim was even stopped by police who said he had outstanding warrants; he was also informed by the IRS of suspicious earnings on his Social Security number.
"In all cases we recommend these individuals contact law enforcement and file a police report. Most have, and we are not aware of any instances of misuse of a SSN being traced back to the breach. Further, we look for trends among those who have reported misuse and have been unable to detect any," said health department spokesman Tom Hudachko. "Unfortunately, identity theft is always occurring and with a breach involving as many victims as this one did, there will undoubtedly be some 'coincidental ID theft.'"
Nevertheless, he encourages all breach victims who detect misuse of their Social Security number to contact the ombudsman (firstname.lastname@example.org or 801-538-6923).