Health Data Security Breach Case Study
Utah Department of Health Data Security Breach
September 12, 2013
Accounting Information Systems
Utah Department of Health Data Security Breach
Introduction
On March 10, 2012, thousands of people fell victim to having their social security numbers, birthdays, names, addresses, and even their medical diagnosis stolen by computer hackers. On April 2, 2012, the breach was realized and 780,000 people learned that their identities were stolen and would now need to monitor their credit. Computer and internet fraud is defined by the federal law as “the use of a computer to create a dishonest misrepresentation of fact as an attempt to induce another to do or refrain from doing something which causes loss” (www.law.cornell.edu). …show more content…
There are many forms of criminal activity on the internet; one such form is called hacking. Hacking is when someone uses “sophisticated tools” in an effort to gain access into someone else’s internet database system. In the above-mentioned case, the Utah Department of Health experienced hackers gaining access to thousands of peoples’ private information. As we will learn, later in this writing, hacking can cause millions of peoples’ lives to be turned upside down in an incredibly short period of time.
The Breach
In March 2012, hackers were able to gain access into a Medicaid server that stored private identity and health information.
A technician had placed the server online and neglected to change the factory password which was “password1,” the most common default password on the internet. Some of the victims whose identities were stolen were Medicaid recipients, but some were also privately insured, uninsured, and retirees whose information was sent to the Medicaid program in hopes of receiving their benefits. This case fits the profile of computer and internet fraud cases all over the world. Hackers gain access to databases that contain social security numbers and credit card or bank account numbers and then will most likely turn around and sell them to people who will ultimately use them for monetary gain. One way these hackers differ from other hackers is that they attacked already low-income individuals whereas most hackers will target wealthy individuals, large corporations, or small businesses. Wealthy people are targeted because they may not notice money missing right away or they will have other people controlling their accounts which makes it more difficult to notice missing information. In the Utah Department of Health data security breach, the hackers were able to steal information over a three day period before it was noticed and then the server was shut down. This is one of the many reasons that cyber-crime has become increasingly popular; because so much …show more content…
information can be compromised in a short amount of time before anyone ever notices the breach.
The Opportunity Triangle
The fraud triangle is basically a model to explain three factors that go into someone committing fraud.
They are: perceived financial need, perceived opportunity, and rationalization. Together, these elements allow someone to commit, conceal, and convert fraud. In the data breach we’ve been discussing, the hackers had all three elements; they had a need or a reason to steal the private information, they had the opportunity to hack into the system when the technician neglected to change the default password, and they were able to rationalize it by saying that the state would have to protect all of the victims since it was their system that was compromised and it was their fault they didn’t change the password. Most of the time, if all three of these elements are not present, it is very difficult for someone to commit the fraud. For example, there may be the opportunity, but there is no reason to do it. Or, there is a reason to do it, but there is no
opportunity.
Preventing Data Security Breaches
In an article provided by a global leader in internet security, the Symantic Corporation provides six steps to prevent a data security breach. They are:
1. Stop incursion by targeted attacks.
Hackers look for a means of gaining access by finding system vulnerabilities, password violations, SQL injections, and malware attacks.
2. Identify threats by using real time alerts.
Companies should find a virus software program that can detect security problems right away as they happen and alert the owners.
3. Proactively protect information.
Consumer or patient information should be protected at all costs. Technicians should perform routine security checks of private information.
4. Automate security with IT compliance controls.
Virus protection should include a way to automate alerts and searches with the IT compliance procedures so that there are no holes in security.
5. Prevent data infiltration.
Security should be up to date and servers should be monitored daily to check for inconsistencies.
6. Integrate prevention response strategies.
Companies should have policies and procedures set in place in regards to security breaches that will tell technicians exactly what to do if a breach is detected.
Conclusion
The end result of the Utah Department of Health data security breach involved 780,000 people having to be responsible for monitoring their credit for the next ten years possibly. Although the state is providing credit monitoring services free of charge, it still doesn’t mean that people won’t struggle with this event. The Salt Lake Tribune reports at least ten people having to report instances of fraud, three people claiming that false tax returns were filed with their social security numbers as well as their children falsely being claimed, several people being denied public assistance because their socials were used to gain employment, credit lines being set up, cell phone accounts being started, and even someone being stopped for false criminal warrants under his social security number. As we can see, a security breach can affect millions of people in just a short amount of time and it can have lasting results for decades. People are now responsible for cleaning up messes that they didn’t create especially when they were already struggling financially. Computer and internet fraud is on the rise because our society uses the internet for almost everything today. The only thing we can do to try to prevent a data security breach such as this one is to make sure we take extra care to protect our passwords and our servers. The Utah Department of Health will be sure to change their default factory passwords in the future!
Resources
Computer and Internet Fraud. www.law.cornell.edu/wex/computer_and_internet_fraud, Retrieved September 12, 2013.
Insurance Journal. Study: Utah Health Breach could Approach $406 M. Retrieved from www.insurancejournal.com/news/west/2013/05/01/290357.htm, September 12, 2013.
Stewart, K., 2013. The Salt Lake Tribune. Report: Utah’s health data breach was a costly mistake. Retrieved from www.sltrib.com, September 12, 2013.
Utah Department of Health. www.health.utah.gov/databreach/common-questions.html, Retrieved September 12, 2013.
September 12, 2013
Accounting Information Systems
Utah Department of Health Data Security Breach
Introduction
On March 10, 2012, thousands of people fell victim to having their social security numbers, birthdays, names, addresses, and even their medical diagnosis stolen by computer hackers. On April 2, 2012, the breach was realized and 780,000 people learned that their identities were stolen and would now need to monitor their credit. Computer and internet fraud is defined by the federal law as “the use of a computer to create a dishonest misrepresentation of fact as an attempt to induce another to do or refrain from doing something which causes loss” (www.law.cornell.edu). …show more content…
There are many forms of criminal activity on the internet; one such form is called hacking. Hacking is when someone uses “sophisticated tools” in an effort to gain access into someone else’s internet database system. In the above-mentioned case, the Utah Department of Health experienced hackers gaining access to thousands of peoples’ private information. As we will learn, later in this writing, hacking can cause millions of peoples’ lives to be turned upside down in an incredibly short period of time.
The Breach
In March 2012, hackers were able to gain access into a Medicaid server that stored private identity and health information.
A technician had placed the server online and neglected to change the factory password which was “password1,” the most common default password on the internet. Some of the victims whose identities were stolen were Medicaid recipients, but some were also privately insured, uninsured, and retirees whose information was sent to the Medicaid program in hopes of receiving their benefits. This case fits the profile of computer and internet fraud cases all over the world. Hackers gain access to databases that contain social security numbers and credit card or bank account numbers and then will most likely turn around and sell them to people who will ultimately use them for monetary gain. One way these hackers differ from other hackers is that they attacked already low-income individuals whereas most hackers will target wealthy individuals, large corporations, or small businesses. Wealthy people are targeted because they may not notice money missing right away or they will have other people controlling their accounts which makes it more difficult to notice missing information. In the Utah Department of Health data security breach, the hackers were able to steal information over a three day period before it was noticed and then the server was shut down. This is one of the many reasons that cyber-crime has become increasingly popular; because so much …show more content…
information can be compromised in a short amount of time before anyone ever notices the breach.
The Opportunity Triangle
The fraud triangle is basically a model to explain three factors that go into someone committing fraud.
They are: perceived financial need, perceived opportunity, and rationalization. Together, these elements allow someone to commit, conceal, and convert fraud. In the data breach we’ve been discussing, the hackers had all three elements; they had a need or a reason to steal the private information, they had the opportunity to hack into the system when the technician neglected to change the default password, and they were able to rationalize it by saying that the state would have to protect all of the victims since it was their system that was compromised and it was their fault they didn’t change the password. Most of the time, if all three of these elements are not present, it is very difficult for someone to commit the fraud. For example, there may be the opportunity, but there is no reason to do it. Or, there is a reason to do it, but there is no
opportunity.
Preventing Data Security Breaches
In an article provided by a global leader in internet security, the Symantic Corporation provides six steps to prevent a data security breach. They are:
1. Stop incursion by targeted attacks.
Hackers look for a means of gaining access by finding system vulnerabilities, password violations, SQL injections, and malware attacks.
2. Identify threats by using real time alerts.
Companies should find a virus software program that can detect security problems right away as they happen and alert the owners.
3. Proactively protect information.
Consumer or patient information should be protected at all costs. Technicians should perform routine security checks of private information.
4. Automate security with IT compliance controls.
Virus protection should include a way to automate alerts and searches with the IT compliance procedures so that there are no holes in security.
5. Prevent data infiltration.
Security should be up to date and servers should be monitored daily to check for inconsistencies.
6. Integrate prevention response strategies.
Companies should have policies and procedures set in place in regards to security breaches that will tell technicians exactly what to do if a breach is detected.
Conclusion
The end result of the Utah Department of Health data security breach involved 780,000 people having to be responsible for monitoring their credit for the next ten years possibly. Although the state is providing credit monitoring services free of charge, it still doesn’t mean that people won’t struggle with this event. The Salt Lake Tribune reports at least ten people having to report instances of fraud, three people claiming that false tax returns were filed with their social security numbers as well as their children falsely being claimed, several people being denied public assistance because their socials were used to gain employment, credit lines being set up, cell phone accounts being started, and even someone being stopped for false criminal warrants under his social security number. As we can see, a security breach can affect millions of people in just a short amount of time and it can have lasting results for decades. People are now responsible for cleaning up messes that they didn’t create especially when they were already struggling financially. Computer and internet fraud is on the rise because our society uses the internet for almost everything today. The only thing we can do to try to prevent a data security breach such as this one is to make sure we take extra care to protect our passwords and our servers. The Utah Department of Health will be sure to change their default factory passwords in the future!
Resources
Computer and Internet Fraud. www.law.cornell.edu/wex/computer_and_internet_fraud, Retrieved September 12, 2013.
Insurance Journal. Study: Utah Health Breach could Approach $406 M. Retrieved from www.insurancejournal.com/news/west/2013/05/01/290357.htm, September 12, 2013.
Stewart, K., 2013. The Salt Lake Tribune. Report: Utah’s health data breach was a costly mistake. Retrieved from www.sltrib.com, September 12, 2013.
Utah Department of Health. www.health.utah.gov/databreach/common-questions.html, Retrieved September 12, 2013.