Utah health data breach: A lesson in the myriad benefits of prevention

The theft of Social Security numbers provides cyber criminals a gift that keeps on giving, posing the potential for fraud for years. When Eastern European hackers gained access to healthcare information for roughly 780,000 Medicaid participants in Utah in March 2012, the Social Security numbers for 280,000 beneficiaries were compromised.

Al Pascual (pictured), a senior analyst of security, risk and fraud at Javelin Strategy & Research, analyzed that breach, among others, for a Data Breach Fraud Impact Report, due out later this month.

"Data breaches are precursors to fraud, and failing to protect [personally identifiable information] exposes everyone to pain, Pascual wrote in a blog post. Pascual spoke to FierceHealthIT about the Utah breach.

FierceHealthIT: What did your analysis of the Utah breach reveal?

Pascual: We looked at a number of breaches across various industries and found that if you were a data breach victim in 2010, the odds that you could become a victim of fraud were better than one in 10. This past year, if you were a data breach victim, the odds that you would become a victim of fraud were one in 4. What we're finding is that criminals are getting better at using data breach information to commit fraud. They're getting better and finding it, better at selling it. Criminals aren't digging through trash anymore, they're not stealing your mail to get your information. They're getting it through data breaches and malware.

We want to talk about not only what the state of Utah could have done better, but also, now that the breach has happened, what that means for the financial industry. The industry is pretty mindful of potential breaches with [credit card] information, but when a breach occurs and they don't have confirmation that it ties in with any of your accounts, they don't do anything at all. Financial institutions in Utah need to be reaching out to customers and telling them that if they were a victim of that breach, here's what they need to do to protect their accounts. Especially with it being Social Security numbers. That's like the keys to the castle.

We looked at account takeovers last year and over half of those victims had their Social Security number breached. That Social Security number can be used to lock consumers out of their accounts, to wire large sums of money … In the age of voice recognition and other technologies, we're still relying on nine digits and putting consumers at risk.

FierceHealthIT: After the breach, did the state of Utah react appropriately?

PascualI think the state of Utah approached it the right way. Of course, the CTO resigned. He basically took responsibility for what happened. It happened because they didn't follow some very basic steps.

After the fact, they've hired an auditor, they're setting up a panel to look at best practices, they launched IRIS (an identity theft reporting information system), they've increased their budget and staff. They've done what they need to do post-breach. That it had to happen afterward is a shame. Now they're pulling out the stops. They've had a couple of incidences since--no system is perfect--but they've done quite a few things that they should have done earlier.

FierceHealthIT: What should have been done to prevent the breach?

Pascual: They didn't have system lifecycle management in place--some controls or a checklist. In decommissioning a server and lighting up a test server and transferring information from one to the other, without that checklist in place, they didn't realize that their contractor never changed default settings on [the new server.] It likely had a default password on it, so that opened them up to this breach.

They didn't do a risk assessment. If they had done a risk assessment, they would have realized they were storing 280,000 Social Security numbers that were not encrypted. Yet they're under the heavy hand of regulation. They have to worry about HIPAA, about HITECH. If you're holding something of value and you could be held liable and fined for not protecting it, then you're going to protect it. So these are things that businesses that are storing extensive amounts of consumer information should be doing. It's costing between $2 million and $10 million to resolve this, but it would have cost only a fraction of that to do what they needed to do in the first place.

FierceHealthIT: Has any identify theft been reported as a result of that breach?

Pascual: It has not. It's very, very difficult, though, to tie any piece of information to a breach in and of itself. A Social Security number can be lost through a variety of channels. Though a Social Security number was lost, it could have been through malware, it could have been stolen from a healthcare office somewhere else. When we ask consumers precisely how their information was lost when a fraud has been committed, we can only get an answer four out of 10 times. That's not an easy thing for law enforcement, either.

But the information lost in this case is Social Security numbers. They're good for a lifetime. Although we haven't seen any crime yet that we can tie back, we still have 20, 30, 40 years to watch and see.

We're projecting 122,000 cases of fraud as a result. Data breach victims who later become victims of fraud will end up each spending $770 out of pocket to resolve the fraud. They're going to spend about 20 hours each resolving it. Then there's the cost of fraud that's borne by the business. For each incidence of fraud, we're projecting it will cost of $3,327.

Editor's note: This interview has been edited for length and clarity.