{"id":1861,"date":"2012-04-09T00:00:00","date_gmt":"2012-04-09T00:00:00","guid":{"rendered":"http:\/\/otava.test\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/"},"modified":"2012-04-09T00:00:00","modified_gmt":"2012-04-09T00:00:00","slug":"server-hack-leads-to-hipaa-violation-by-utah-department-of-health","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/","title":{"rendered":"Server Hack Leads to HIPAA Violation by Utah Department of Health"},"content":{"rendered":"

4\/10 Update – 780,000 may be affected.<\/p>\n

A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals collected by the Utah Department of Health (UDOH). The server was managed by the Utah Department of Technology Services (DTS). In the process of moving Medicaid claims records to a new server, hackers were able to access ePHI despite the DTS\u2019s security system, resulting in the latest HIPAA violation<\/a>.<\/p>\n

Hackers removed 24,000 files from the server – according to the UDOH, one file can potentially contain claims information on hundreds of individuals. The UDOH reports that the DTS servers have multi-layered security systems containing perimeter security, network security, identity management, application security and data security, but the question remains, would they pass a HIPAA audit of their controls?<\/p>\n

The UDOH claims that the DTS has process in place to secure their data, but the \u201cparticular server was not configured according to normal procedure.\u201d This may have simply been an oversight by DTS staff, but it also raises the question of whether or not their employees are trained in HIPAA security policies and procedures.<\/p>\n

An IT or data center organization that handles ePHI on their servers need to have multiple layers of security, including staff trained to implement technology in accordance with HIPAA standards. The DTS should have an appointed security and risk management officer employed to oversee training, with documented dates of completion.<\/p>\n

The UDOH blog<\/a> states the DTS has implemented new processes to prevent a future breach, including improving security controls related to implementing computer hardware and software, and increasing network monitoring and intrusion detection capabilities.<\/p>\n

In a previous blog, I wrote about What to Look for in a Cloud Hosting Provider<\/a>, highlighting\u00a0the U.S. General Services Administration (GSA)\u2019s Dave McClure\u2019s criteria for a secure cloud hosting<\/a> provider. One criterion included the need for continuous monitoring with real-time alerts instead of post-breach audits. The same holds true when seeking a HIPAA hosting<\/a>\u00a0or HIPAA cloud hosting<\/a> provider – network monitoring can alert IT staff of any unauthorized access to a server and allow them to move quickly to remediate.<\/p>\n

For more on HIPAA violations, including violation types, minimum and maximum penalties, and common mistakes made by companies resulting in a data breach, read What is a HIPAA Violation?<\/a><\/p>\n

References:
\nImpact of Medicaid Data Breach on DTS Server Widens<\/a>
\nData Breach of 24,000 Medicaid Claims by Hackers<\/a>
\nMedicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

4\/10 Update – 780,000 may be affected. A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals collected by the Utah Department of Health (UDOH). The server was managed by the Utah Department of Technology Services (DTS). In the process of moving Medicaid claims records to a new server, hackers were able to access ePHI despite the DTS\u2019s security system, resulting in the latest HIPAA violation. Hackers removed 24,000 files from the server – according to the UDOH, one file can potentially contain claims information on hundreds of individuals. The UDOH reports that the DTS servers have multi-layered security systems containing perimeter security, network security, identity management, application security and data security, but the question remains, would they pass a HIPAA audit of their controls? The UDOH claims that the DTS has process in place to secure their data, but the \u201cparticular server was not configured according to normal procedure.\u201d This may have simply been an oversight by DTS staff, but it also raises the question of whether or not their employees are trained in HIPAA security policies and procedures. An…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1861","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nServer Hack Leads to HIPAA Violation by Utah Department of Health | OTAVA<\/title>\n<meta name=\"description\" content=\"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Server Hack Leads to HIPAA Violation by Utah Department of Health\" \/>\n<meta property=\"og:description\" content=\"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-04-09T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Server Hack Leads to HIPAA Violation by Utah Department of Health\",\"datePublished\":\"2012-04-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\"},\"wordCount\":429,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\",\"url\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\",\"name\":\"Server Hack Leads to HIPAA Violation by Utah Department of Health | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-04-09T00:00:00+00:00\",\"description\":\"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Server Hack Leads to HIPAA Violation by Utah Department of Health\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Server Hack Leads to HIPAA Violation by Utah Department of Health | OTAVA","description":"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/","og_locale":"en_US","og_type":"article","og_title":"Server Hack Leads to HIPAA Violation by Utah Department of Health","og_description":"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.","og_url":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/","og_site_name":"OTAVA","article_published_time":"2012-04-09T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Server Hack Leads to HIPAA Violation by Utah Department of Health","datePublished":"2012-04-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/"},"wordCount":429,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/","url":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/","name":"Server Hack Leads to HIPAA Violation by Utah Department of Health | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-04-09T00:00:00+00:00","description":"A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/server-hack-leads-to-hipaa-violation-by-utah-department-of-health\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Server Hack Leads to HIPAA Violation by Utah Department of Health"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1861"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1861\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1861"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}