Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen

An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."

Re:Not to be rude about it, but

[hrvatska]

Almost all US citizens over 65 are on Medicare, which is not the same as Medicaid. Some elderly are on both Medicare and Medicaid, but most are not.

Re:Simple solution:

[mrvan]

Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.

You seem to be doing a good job, though...

This!

So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

This is the right question.

It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. So, it is not unreasonable for a network to lack this stuff, even a government network with sensitive data.

But, the announcements of precise numbers of compromised accounts and so forth are hard to believe. I think its more a case of; 'we think this Excel file was copied and it had 150,000 numbers in it'. Oh wait; 'this other Excel file might have been read and it has 250,000 numbers in it'.

These guys are guessing. They don't have a clue what went missing or when. But, the scary thing is that the truly skilled intruders get in siphon off everything and move on without anyone ever knowing. Some may even lurk for months/years without ever being discovered.

What to do

[Jason+Levine]

My advice for anyone who's identity was stolen:

Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.

Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.

Step 3: Freeze your credit file.

About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.

Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.

Re:What to do

[RobertLTux]

"Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed."

regarding that bit http://www.annualcreditreport.com/ is the address you need

or hit https://www.annualcreditreport.com/cra/order?mail for details on how to get this done (if you do the USPS method photocopy your DL and SS card and enclose that with the form)