Whether it constitutes the largest release of personal health information by a Utah state agency, officials couldn't say.
But it touches one in every six Utahns, landing in the top 10 health security failures reported since late 2009 to the U.S. Department of Health and Human Services.
The latest victims are people whose information was sent to the state by their health provider to verify their status as possible Medicaid recipients, said Utah Medicaid Director Michael Hales.
They may or may not be on Medicaid, but likely sought medical care sometime in the past four months, Hales said.
So far, there have been no reports of people using the information to obtain fraudulent credit cards and loans.
But due to the breach's scope and potential for harm, the FBI is now investigating.
"Computer intrusions are one of our top priorities," said Greg Bretzing, assistant special agent in charge of the FBI's Salt Lake City office. He declined to comment on the investigation or confirm the suspicions of state technology officials who traced the hacker, or hackers, to Eastern Europe.
On March 30, hackers broke into an inadequately-protected computer server at the Utah Department of Technology Services and began removing data April 1.
Technology officials detected the security breach April 2 and immediately shut it down.
In investigating, officials focused first on the Medicaid claims, because they were believed to be most at risk, said technology services director Stephen Fletcher. Then it was discovered that Medicaid eligibility inquiries also were stored on the server.
"We're confident we've found all those affected," Fletcher said. "We've gone through every piece of data on that server."
The breach is being blamed on an employee who put a server online without its proper security. State officials believe it was a mistake but have declined to name the employee, who may face discipline.
Fletcher said new processes have been put in place to make sure the breach doesn't happen again. Medical data on the state's computers aren't encrypted, he said, noting federal rules don't require it.
Utah could face federal penalties or fines. How the state is judged to have handled the breach will factor into any decision by the Centers for Medicare and Medicaid.
The state is working to notify all those at risk, which will happen by mail, said Health Department spokesman Tom Hudachko. "We strongly recommend that people do not provide private information over the phone or by email."
Concerned Medicaid clients can call 1-855-238-3339 or go online http://1.usa.gov/HvHqrB to get more information on how to protect themselves and their identities. People who had their Social Security numbers exposed will receive one free year of credit monitoring services.
In addition, anyone can protect their identity and financial information by placing a freeze or fraud alert on their person credit file with the nation's credit bureaus.
"People [affected by the breach] ought to be looking at their accounts on a daily basis, their credit card and bank statements," said Kirk Torgensen, chief deputy of the Utah Attorney General's criminal division.
For information on how to do this, go here: http://idtheft.utah.gov.
Help for hacking victims
Protect yourself • Concerned Medicaid clients can call 1-855-238-3339 or go online to get more information on how to protect their identities.
Protect your child • The Utah Attorney General's Child Identity Protection provides a secure process to enroll a child's information with the national credit reporting company TransUnion.