A little over a month ago the State of Utah discovered one of its servers was under attack, reportedly by Eastern European hackers.
That’s almost one year to the day of a similar data loss incident suffered by the State of Texas of eerily similar circumstances.
The attackers gained access to a server used by the state to receive Medicare, Medicaid and children’s health service claims.
Unfortunately it is a reasonably common practice for health care providers to submit information on other patients as well, simply to determine if they may qualify for coverage.
This means that the victims aren’t limited to those receiving subsidized health services from the state.
On March 30 the attackers began siphoning the names, addresses, birth dates and other personal information of 500,000 Utah residents. The attackers were also able to exfiltrate that data and the social security numbers of 280,000 additional residents.
How did the attackers gain access to this highly sensitive information? The state’s new CIO, Mark VanOrden, spoke with the Deseret News and stated:
"Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords."
The server had been originally installed by a third-party contractor and security audit procedures were not followed. In this case every mistake that could be made when handling personally identifiable information was made.
- The data was not encrypted.
- The data was preserved for longer than necessary, exposing more information when compromised.
- Default passwords for service accounts were not changed/disabled.
- Regular penetration tests and audits were not being performed to discover the mistake.
The state is offering one year of credit monitoring to victims of the theft, for more information and advice from the state please visit http://www.health.utah.gov/databreach/.
Of course one year is not really much protection considering your social security number is with you for life, and most of us don’t change addresses all that often. Utah Department of Health Director Dr. David Patton apparently doesn’t understand that social security numbers are a far more critical thing to lose than credit card numbers.
Dr Patton suggested that one year was enough, because after one year the information “goes stale”.
It is this kind of attitude that might contribute to bureaucrats making half-baked attempts at protecting the data to begin with, not considering that these incidents may haunt victims their whole lives.
Now that we have seen nearly identical incidents in two US states, let’s hope this puts the other 48 on notice and triggers a response to ensure their residents are better protected.
Having processes and procedures is a start, but you must actually adhere to them to have a fighting chance against modern internet thieves.