On March 30, hackers cracked the password on an inadequately protected computer server housing Medicaid data at the Utah Department of Technology Services. They began removing data April 1.
The private information on nearly 800,000 Utahns was exposed, including Social Security numbers for 255,000 people, who are now eligible for a year's worth of free credit monitoring.
But so far, officials have prepared or mailed notices to only 155,000 who have some history with Medicaid. "They could be current clients or clients in the recent past," said Utah Department of Health spokesman Tom Hudachko.
Records on the remaining 125,000 are incomplete, making it difficult to verify their identities or contact them.
"In many cases we have only a Social Security number with no name or address attached," said Hudachko. That's because much of the data jeopardized were limited information that health providers sent to the state only to verify whether a patient is on Medicaid.
University of Utah Health Sciences, for example, "pings" the state's system on a daily basis for patients who say they are eligible for Medicaid, and once a week for new patients who are uninsured, said spokesman Christopher Nelson. U. hospitals don't make inquiries about people who are privately insured, he said.
The state could ask hospitals to help find patients, but the process would be slow and could raise privacy concerns for providers.
Instead, there's talk of cross-referencing the hacked data with other, verifiable information warehoused by agencies such as the Utah Tax Commission. Attorneys are still mulling possible legal barriers to that, said Hudachko.
For now, there's a hotline for people to inquire whether their information was hacked. But it already fields 2,500 inquiries a day from Medicaid recipients and doctors, and isn't equipped to handle much more.
Health officials opened a separate phone line late Tuesday that is staffed 24 hours and available in English and Spanish. Officials hope to add a feature to allow callers to enter information, such as their name and birth date, and receive an automated message confirming whether their data were exposed.
Technology officials, who blame the breach on an employee who didn't follow protocol, say steps have been taken to secure the Medicaid server.
But these remedies are cold comfort to state Democratic Chairman Jim Dabakis, who says the breach illustrates a "pathetic lack of leadership on the governor's part."
Dabakis pointed to bidding scandals at the Department of Alcoholic Beverage Control and Department of Transportation and leaked list of purported illegal immigrants by a Workforce Services employee.
"This is the latest link in a whole series of mismanagement," he said. "Can you imagine if you had a private business and you didn't put a password on and 800,000 identities and a lot of their Social Security numbers were let out? Republicans always say they want government to run like a business. If they did, Governor Herbert would be fired."
Herbert's spokeswoman Ally Isom retorted: "It's no surprise that the governor's political opponents would politicize this sensitive issue with blatantly inaccurate distortions about his actions and role. Bottom line: Our top priority is protecting Utahns, not playing politics."
firstname.lastname@example.org Tribune reporter Robert Gehrke contributed to this story.
Help for hacking victims
Protect yourself • Medicaid clients can call 1-855-238-3339 or go online to get more information about how to protect their identities.
Protect your child • The Utah Attorney General's Child Identity Protection provides a secure process to enroll a child's information with the national credit reporting company TransUnion.