Sensitive data that was compromised in a massive health records breach had been lingering on state computers for months, contrary to the standard procedure that it be erased within a day of being submitted, according to Utah officials.
Utah Department of Health chief David Patton revealed the violation of security protocol at a Wednesday community forum for the hundreds of thousands of people whose personal information was exposed in the attack uncovered last month. He said the data also was behind a weak password.
"We are doing everything in our power to alleviate the pain that has been caused by this," Patton said, according to The Deseret News.
While only a few dozen attended the meeting in Salt Lake City, up to 780,000 people had some sort of personal information exposed by the attack on a state server. Victims included people in Medicaid and a health insurance program for children in low-income families, but officials say others who weren't enrolled in those programs also were affected.
That's because health care providers often submit personal information to the state to check whether a patient is a possible Medicaid recipient.
The attackers used an IP address, which is used to identify and locate a computer online, that came from an eastern European country, according to Utah officials. While the IP address is a good place to start the investigation, it's possible the hackers hijacked a computer server that was nowhere near their physical location.
State officials are offering a year of free credit monitoring to people whose Social Security numbers were taken, but say only 20,000 of the 280,000 individuals who fall into that category have signed up.
"People are confused and I'm worried because many people still have yet to take action," said Sheila Walsh-McDonald of Salt Lake Community Action Program, a nonprofit advocating for low income residents.
Attendees at the forum asked whether anyone at the state is being disciplined for the breach.
Patton, who noted his own father was affected, said multiple investigations are underway, but the priority was on preventing identity theft.
"We are in the mode of trying to help people, not trying to find culprits," Patton said. "I would not put any limit on what a hacker could do with your Social Security number."