SALT LAKE CITY — The number of people whose personal information was stolen from a state health department computer server has grown to more than 700,000 — up from initial reports of 24,000 files, state officials announced Monday.
Some 280,000 people had their Social Security numbers listed in state health data stolen from a computer server last week in what local officials are calling the most extensive data breach in state history.
Another 500,000 victims had less sensitive personal information taken, state health department and technology services officials said. The "less sensitive" information was described as names, dates of birth and addresses. Officials said there may be some overlap between the groups, and information was still being reviewed.
The victims are likely to be people who visited health care providers in the past four months. Many are children who are enrolled in Children's Health Insurance Program or Medicaid, although adults are also victims, officials said.
Thus far the state has received no reports that the information has been used to fraudulently obtain loans, credit cards or for other purposes.
The state is in the process of notifying all victims and will contact them by mail. A website has been established — www.health.utah.gov/databreach — that provides detailed information and resources for victims. Medicaid and CHIP clients can also call 1-800-662-9651 for assistance.
Utah Department of Health spokesman Tom Hudachko warned victims that scammers may contact them on the phone or by e-mail requesting further information.
"We strongly recommend that people do not provide private information in response to telephone or email contacts they have not initiated," Hudachko said.
"Possible victims should be aware that nobody from the Utah Department of Health or the Utah Department of Technology Services will be contacting them for personal information through email or over the phone.
Kirk Torgensen, chief deputy of Utah Attorney General's Office Criminal Division, said victims need to act swiftly upon receiving their notifications.
"Be vigilant. Look at your accounts. Look at them daily. Look at your credit report. If you feel like anything is amiss, please go to our website," he said, referring to www.idtheft.gov.
The state is offering free credit monitoring for a year for victims whose Social Security numbers were compromised.
Torgensen further encouraged victims to freeze their credit or that of their children to ensure that the information that was breached cannot be used fraudulently. The "freeze" costs about $10 but it could save many headaches down the road.
"People really need to look at their credit files right away," he said. Many victims do not act for nine months to a year, which can be too late. "Then the damage can be terrible," he said.
The state Department of Technology Services is working with local law enforcement and the FBI on a criminal investigation into the security breach.
Greg Bretzing, assistant special agent in charge of the FBI's Salt Lake City office, confirmed that "a federal criminal computer intrusion investigation" has been opened.
"We will be working, and have been working, with the state over the last week or so to determine the nature of the intrusion and the information that was stolen," Bretzing said.
The data attack occurred after hackers on March 30, 2012 illegally gained access to a Utah Department of Technology Services computer server that stores Medicaid and CHIP data claims. DTS officials detected the security breach on April 2, and immediately shut down the server.
Hudachko said a "configuration error" at the state technology services level allowed the hacker or hackers to circumvent the security system.
"DTS has processes in place to ensure the state's data is secure, but this particular server was not configured to normal procedure," he said.4 comments on this story
"DTS has identified where this breakdown occurred and has implemented new processes to ensure this type of breach will not happen again."
Stephen Fletcher, executive director of the Utah Department of Technology Services, said the ongoing investigation into the breach suggests the server was infiltrated from outside of state government.
"All of the forensics investigation we have uncovered thus far, we believe it was done from the outside, not the inside," Fletcher said.
The review of the data is ongoing, but Fletcher said state officials believe the number of possible victims released Monday is final.