SALT LAKE CITY - An additional 750,000 people had their personal information stolen by hackers, Utah health officials said Monday after discovering that the thieves downloaded thousands more files of data than authorities initially believed.
Officials originally estimated that 24,000 state residents had their records stolen after a computer tracked to Eastern Europe infiltrated a server beginning March 30. They then changed that number to 182,000 victims.
Health officials now believe nearly 900,000 people have had their personal data stolen.
The information includes Social Security numbers, Health Department spokesman Tom Hudachko said at a news conference. Some files also contained information needed to verify Medicaid coverage, as well as names, addresses, or other personal information, he added.
The information was stolen from a new server at the Health Department, said Stephen Fletcher, executive director of the Department of Technology Services. Although the state has multiple layers of security on every server, a technician installed a password that was not as secure as needed.
Some of the data belonged to beneficiaries of Medicaid and a health care program for children from low-income families, department officials said last week. That would include children, whose lack of a credit report could make monitoring for identity theft difficult.
In all, the hackers downloaded about 224,000 files, some of which contained hundreds of records, Hudachko said.
Since the data breach was discovered last week, state officials have revised the number of victims three times. The state has reviewed all the files stored on the breached server, and Fletcher said it was unlikely the number would increase again.
The state also checked other servers used by agencies and has not discovered other breaches.
Residents whose information was stolen will be alerted, with the priority going to those whose Social Security numbers were taken, said Michael Hales, deputy director of the Health Department. The department is offering free credit monitoring for a year to those residents.
Monitoring financial accounts is important, but identity theft victims should also alert the three credit bureaus about potential fraud, said Kirk Torgensen, a chief deputy with the Utah attorney general’s office who specializes in identity theft.
Protecting children from identity theft can be more difficult, because they normally have no credit report, credit cards, or bank accounts to monitor. To assist parents, the state was working with the credit bureau TransUnion to register children’s Social Security numbers and essentially freeze their credit until they are old enough to need it.
A state website allows fraud victims to file an affidavit that will reduce the amount of time - sometimes hundreds of hours - that identity theft victims have to spend fixing their credit.