"This is some external party maliciously attacking a server," Hales said. "It just looks like processes broke down."
While the breach was traced to an Eastern European location, investigators don't know if that is where the hacking originated.
The breach was initially reported Wednesday as involving 24,000 claims. As the investigation progressed, officials said 24,000 files had been stolen, which meant the number of people affected would be far higher. Hospitals, clinics and providers batch multiple claims into files for submission to the Health Department. A single file can contain claims information on hundreds of individuals.
The state's computer systems are the responsibility of the Department of Technology Services. On Thursday, Boyd Webb, the agency's chief information security officer, said he knew who was responsible for putting the server online without its proper security but wouldn't give a name. "I believe it was just a mistake," he said.
The state manages 260,000 Medicaid clients and 40,000 in CHIP. About two out of three Medicaid recipients are children.
Technology Services computer servers have multi-layered security systems that include many controls. Utah Department of Health spokesman Tom Hudachko said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure.
Technology Services detected an "unusual volume [of data] streaming out of the server" on Monday morning, Hales said.
Hudachko said the Health Department will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority placed on clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them how to take advantage of free credit monitoring services for one year.
Hales said the state has contracted with the credit-reporting company Experian for the services, which he estimated would cost taxpayers $460,000.
"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," Hales said. "But we also hope they understand we are doing everything we can to protect them from further harm."
Medicaid clients are given identity numbers as alternatives to using Social Security numbers after they have transitioned into the system. Their records are most vulnerable to hackers intent on identity theft during that transition gap. The claims records also likely would have included health conditions, birth dates, addresses, physicians' names and other private information.
The stolen data included information on medical providers but not pharmacy records, Hales said.
The investigation into the security breach is ongoing, and the two agencies will continue to update the public, Hudachko said. Technology Services has started up new procedures to make sure this won't happen again, he said. The state Attorney General's Office, which sponsors the Identity Theft Reporting Information System, also is helping with the investigation.
The health department uses 125 of the state's 520 servers; only one was breached, said Hales.
Lincoln Nehring, senior health policy analyst with the nonprofit Voices for Utah's Children, said he has "all the confidence in the world the state has the expertise ... to make sure this never happens again."
Nehring said it would be hard to calculate the ongoing effects on children whose Social Security numbers were stolen. But he does have a major concern.
"Medicaid and CHIP already have a negative connotation in the community," he said. "Even if nothing happens with the stolen [information], I'm just worried this will make families even more reluctant to use these services to protect their health."
Help offered to potential victims of Utah computer hack
O Protect yourself • Concerned Medicaid clients can call 1-800-662-9651 or go online to get more information on how to protect themselves and their identities.
Protect your child • The Utah Attorney General's Child Identity Protection provides a secure process to enroll a child's information with the national credit reporting company TransUnion.