SALT LAKE CITY – An additional 750,000 people had their personal information stolen by hackers, state health officials said Monday after discovering that the thieves downloaded thousands more files of data than authorities initially believed.
Officials originally estimated that about 24,000 people had their records stolen after a computer tracked to Eastern Europe infiltrated a server beginning March 30, then changed that number to 182,000 victims.
Health officials now believe a total of nearly 900,000 people have had their personal data stolen.
The information includes Social Security numbers, health department spokesman Tom Huduchko said at a news conference. Some files also contained information needed to verify Medicaid coverage, as well as names, addresses or other personal information, he added.
The information was stolen from a new server at the health department, said Stephen Fletcher, executive director of the Department of Technology Services. Although the state has multiple layers of security on every server, a technician installed a password that wasn't as secure as needed.
Some of the data were for beneficiaries of Medicaid and a health care program for children from low-income families, department officials said last week. That would include children, whose lack of a credit report could make monitoring for identity theft difficult.
In all, the hackers downloaded about 224,000 files, some of which contained hundreds of records, Hudachko said.
Since the data breach was discovered last week, state officials have revised the number of victims three times. The state has reviewed all the files stored on the breached server, and Fletcher said it was unlikely the number would increase again.
The state also checked other servers used by agencies and have not discovered other breaches.
Residents whose information was stolen will be alerted, with the priority going to those who had their Social Security numbers were taken, said Michael Hales, deputy director of the Health Department. The department is offering free credit monitoring for a year to those residents.
Hales said it was important for people to monitor their credit ratings and bank accounts for fraud.
Monitoring financial accounts and credit reports is an important first step, but identity theft victims should also alert the three credit bureaus about potential fraud, said Kirk Torgensen, a chief deputy with the Utah attorney general's office who specializes in identity theft.
Protecting children from identity theft can be more difficult, since they normally will not have a credit report, credit cards or bank accounts to monitor. To assist parents, the state was working with the credit bureau TransUnion to register a child's Social Security number and essentially freeze their credit until they are old enough to need it.
A state website allows fraud victims to file an affidavit that will reduce the amount of time -- sometimes hundreds of hours -- that identity theft victims have to spend fixing their credit.