Medicaid incident. How much cost a data breach?

Pierluigi Paganini April 11, 2012

The Utah Department of Technology Services (DTS) has announced that the Utah Department of Health (UDOH) was victim of an hack. On Monday the server that hosts Medicaid was hacked, the news of the breach has been published on Wednesday.
In a first time the entity of the data breach has been estimated in 181,604 records of Medicaid and Children’s Health Insurance Plan (CHIP), exposing personal information. Around 25,096 ot the total record stolen appear had their Social Security numbers (SSNs) compromised.  Immediately the response of the law enforcement,  including the FBI, that has started the investigation on the incident.

Unfortunately, a review of the estimated scale of the breach showed a bleak landscape, the number of records has grown from 180.000 to 780.000, what is really serious is that approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised.

The attack conduced on March 30, 2012 seems to be originated from Eastern Europe, the target was a server used as storage for client’s claims, each of them containing sensible information like client names, addresses, birth dates, SSNs, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes. The data related to customer’s claims have been exposed that a misconfiguration of the authentication process that allows attackers to access to the information.

DTS has discovered the branched server and has turned off the server. The incident response of the company has restored the correct configuration for the corrupted server and a global check has been done on the entire infrastructure.

Who are the real victims of the hack?

The victims are likely to be customers who have visited a health care provider in the four months before the breach, some may be Medicaid or CHIP recipients,  others are individuals whose health care providers were unsure as to their status as Medicaid recipients.

The situation is really critical, the UDOH must manage the internet before the damages will increase, preserving those clients whose personal information was stolen during the attack, giving priority to the customers whose SSNs were compromised.  The company is suggesting to the Medicaid clients to monitor their credit and bank accounts. Victims who had their SSNs stolen will receive one year of free credit monitoring services.

“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,”

UDOH Deputy Director Michael Hales said in a statement.

“But we also hope they understand we are doing everything we can to protect them from further harm.”

As usual after incidents like the one we are discussing, the accounts exposed may be a victim of further attacks such as phishing-type attacks, for this reason the company has invited customers to be wary of all kinds of communication that could seems to be sent from the institutions affected. The users must be alerted signaling any suspect situation that could be observed in the days after the attack. DTS has started the process of identifying these additional victims, and the state will be sending letters directly to them as they are identified.

Official communication of the organization on the web site says:

Possible victims should be aware that nobody from DTS or UDOH will be contacting them and asking for personal information over the phone or via e-email regarding this incident. Scammers may attempt to reach victims in this manner. We strongly recommend that people do not provide private information in response to telephone or e-mail contacts they have not initiated.

Yesterday, April 10th the Utah Department of Health (UDOH) has established a new hotline for concerned citizens to call for information on the data breach that compromised peoples’ personal information. The experts believe that the number of 780,000 account compromised is just an estimation and only in the next days we will have more detailed info on the breach.  Events like this pose troubling questions about the effectiveness of measures to protect such critical information. A data breach can have a direct devastating impact on the company victim, but what is much more worrying is the damage done to the customer difficult to quantify, especially in critical fields such as medicine disclosure of information concerning the health of an individual may lead to discrimination irremediably compromising the experience of the patient.

Despite knowing that nothing is safe, it must be said that unfortunately still many structures managing sensitive information in too shallow, I am of course referring to the specific case for which investigations are underway, but the real nature faced by sectors such as health. In Italy the problem is dramatic, we are in disarray and similar incidents could occur any day. The awareness of the threat is nothing, the economic crisis and an obtuse and arrogant ruling class have made the situation untenable, and the expense will be ordinary citizens.

But how much does a data breach?

According The annual Ponemon Institute Cost of Data Breach Study for the first time in last seven years, the cost of data breach actually decreased. The average per capita cost of a data breach is decreased from $214 to  $194 per compromised record.

Another interesting signal is provided by total average cost of data breach trend that is decreased from $7.2 million to $5.5 million respect last year, this suggests that organizations are making significant improvements in how they prevent and respond to a data breach.

The cost reduction according the Study is related to the improving the response to the incident. The Study has addressed has most affected sector Communications, Pharmaceutical, Financial and Healthcare, negligent employees and malicious attacks are most often the cause of the data breach. Om the sample of 49 companies studied, thirty-nine percent of incidents involved a negligent employee or contractor, 37 percent concerned a malicious or criminal attack, and 24 percent involved system glitches including a combination of both IT and business process failures.

Analyzing the main causes related to criminals attacks we can note that the majority is related to the activities of malicious insider or the effect of any kind of malware (e.g. viruses, malware, worms, trojans ).

In conclusion we can see a response from the institutions and organizations to incidents like the one discussed, however, the figures indicate that similar phenomena continue to play a significant role in the management of an enterprise. Positive signals from lower costs, a reduction that I hope is not temporary. The phenomena described are striking increasing due the cybercrime raising and the warfare operations conducted by foreign states against critical infrastructures. The road is the right one, but there is still much to do.

Pierluigi Paganini



you might also like

leave a comment