Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen

An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."

Re:Not to be rude about it, but

[hrvatska]

Almost all US citizens over 65 are on Medicare, which is not the same as Medicaid. Some elderly are on both Medicare and Medicaid, but most are not.

Re:Not to be rude about it, but

[vlm]

who is going to want SSN's of a bunch of poor people on Medicaid?

If you can fog a mirror you can get a car loan. A car can be driven across the border, to a chop shop, etc. If you're poor the interest rate will be 15% but if you stole the info and intend to never make a payment, no one cares. My mom had zero income, and someone with her info bought a pickup truck in Texas and disappeared into Mexico. She had no problem removing it from her credit history as it was beyond ridiculous, but if she were not so lucky, then it could have been a problem.

You don't need any money for an illegal to use your information to hold a job (IRS etc) or get free medical care. Actually a poor person has much better medical coverage than I do... so their info is more valuable than mine. The IRS thing with stolen SS numbers is no problem unless the illegal claims 15 exemptions and pays no tax.. then you have to pay their tax for them, or prove you're not working both as a sysadmin and a restaurant dishwasher simultaneously.

You don't need any money or credit record to visit a "check cashing place / payday loan joint" with a fake check, walk out with cash, and leave the victim to figure it all out.

So, how did they discover the leakage?

[SCHecklerX]

I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

What to do

[Jason+Levine]

My advice for anyone who's identity was stolen:

Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.

Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.

Step 3: Freeze your credit file.

About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.

Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.