• 5
  • Hospitals
  • 5
  • UT
  • 5
  • Utah Medicaid, Division of Integrated Healthcare: Utah Department of Health and Human Services

Utah Medicaid, Division of Integrated Healthcare: Utah Department of Health and Human Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The breach at the Utah Medicaid, Division of Integrated Healthcare: Utah Department of Health and Human Services in Utah involved a self-caused data breach affecting approximately 5,800 patients. This incident was not the result of an external attack but rather stemmed from a programming error within the organization’s mailing system. Specifically, benefits letters intended for Medicaid recipients across the state were sent to incorrect addresses due to a mistake in the software used for printing patient labels. This error led to the exposure of sensitive patient information, including names, birth dates, home addresses, phone numbers, and in some cases, patient ID numbers, which could be Social Security Numbers for many recipients. No financial data was included in the notices. The Utah Medicaid office responded by sending immediate notices to the affected patients and the Utah Department of Health and Human Services, advising on steps to protect against potential misuse of the exposed information[1].

In response to the breach, the Utah Department of Health and Human Services announced plans to send personalized notifications to the 5,800 affected Medicaid recipients. The department identified the error after a system coding mistake was discovered by State Mail and Distribution Services on May 8. The error affected less than 1% of all Medicaid members in Utah. The notifications aimed to detail the issues, inform about any personal data included in the letters, and provide actions to secure their accounts. For the approximately 200 individuals whose Medicare Health Insurance Claim Numbers (potentially their Social Security numbers) were exposed, the department offered credit monitoring services. To prevent future incidents, the department corrected the coding system errors and planned to increase mail testing procedures[5].

This incident highlights the importance of robust data handling and mailing processes within healthcare organizations to prevent unintended disclosures of sensitive patient information. It also underscores the need for immediate and transparent communication with affected individuals and regulatory bodies following a data breach, as well as the implementation of corrective measures to prevent recurrence.


References:

  1. IDStrong: Detailed account of the breach, including how it occurred, the type of information exposed, and the response from the Utah Medicaid office.

  2. KSL: Provides additional details on the breach’s discovery, the number of affected individuals, and the measures taken by the Utah Department of Health and Human Services in response.

Citations:

  1. https://www.idstrong.com/sentinel/utah-medicaid-suffered-data-breach/
  2. https://healthitsecurity.com/news/utah-health-system-suffers-healthcare-data-breach-103k-impacted
  3. https://www.theftkgroup.com/medicaidhackupdaterecordsandssnsstolen1?journal=210
  4. https://hacknotice.com/2023/06/06/utah-medicaid-division-of-integrated-healthcare-utah-department-of-health-and-human-services/
  5. https://www.ksl.com/article/50661273/medicaid-letters-sent-to-wrong-addresses-utah-health-department-reports-data-breach
  6. https://archive.sltrib.com/article.php?id=53879423&itype=CMSID
  7. https://medicaid.utah.gov/hipaa/
  8. https://patexia.com/feed/utah-data-breach-highlights-vulnerability-of-health-records-3787
  9. https://www.govtech.com/security/utah-health-data-breach-blamed-on-configuration-error.html
  10. https://medicaid.utah.gov/concern-or-complaint/
  11. https://www.darkreading.com/cyber-risk/utah-s-medicaid-data-breach-worse-than-expected
  12. https://oig.hhs.gov/oas/reports/region7/71500455.pdf
  13. https://www.databreachtoday.com/utah-health-breach-affects-780000-a-4667
  14. https://attorneygeneral.utah.gov/ag-reyes-announces-multistate-settlement-with-inmediata-for-data-breach/
  15. https://www.darkreading.com/cyber-risk/utah-health-data-breach-affects-nearly-800-000
  16. https://aegisinsurancemarkets.com/Blog/PostId/34/utah-department-of-health-faces-second-data-breach-in-one-year
  17. https://www.securityweek.com/utah-medical-group-discloses-data-breach-affecting-over-580000-patients/
  18. https://www.deseret.com/2012/4/5/20500845/medicaid-breach-reminiscent-of-the-list-with-personal-info-leaked
  19. https://medicaid.utah.gov/privacy-policy-default/
  20. https://www.infosecurity-magazine.com/news/utah-governor-calls-for-state-wide-data-audit/
Breach Submission Date Jun 06, 2023
Converted Entity Name Utah Medicaid, Division of Integrated Healthcare: Utah Department of Health and Human Services
Converted Entity Type Health Plan
State UT
Individuals Affected 5,800
Breach Type Unauthorized Access/Disclosure

Breach Information Location Paper/Films

Business Associate Present Yes