UDOH spokesman Tom Hudachko told FOX 13 as 280,000 social security numbers have been stolen and up to 500,000 others may have had other personal information taken including names, birth dates and addresses. However, he said Friday that number may go down as officials identify duplicate records.
Investigations are underway to determine exactly how personal information was stolen by hackers.
"Department of Technology Services indicated that normally they bring servers online with multiple security layers in place and through human error, failure to follow policy and procedure, this server simply was brought online with less security than it should have been brought online with," Hudachko said, confirming a weak password allowed hackers to breach the database.
Utah Gov. Gary Herbert has ordered an audit and security review in the wake of the hacking. The U.S. Department of Health and Human Services will also get involved.
"I think this is kind of the canary in the coal mine," said Dan Berger, the CEO of Redspin, a health care data security firm based in California.
Redspin published a study last year that found 385 breaches of protected health information. More than 19 million patient health records were affected. From 2010 to 2011, Redspin documented a 97 percent increase in data breaches.
Berger said it should be warning to health care organizations, both public and private, to ensure their data is secure.
Berger said hackers are becoming increasingly interested in medical records as a commodity, because they contain more information and are more valuable to sell than credit card information.
"A personal health record right now is worth somewhere in the order of $50 per record, as compared to a stolen credit card number which might be $3 or $4. It's an amazingly high value target right now," Berger told FOX 13.
With nearly 780,000 records being stolen, a thief could theoretically make nearly $39 million from UDOH's database, but Berger cautioned that supply and demand plays a role "even in stolen records."
The Utah Department of Health is offering to provide free credit monitoring for a year to those whose information was stolen. But there is little anyone can really do between now and the time they find out they are a victim.
The state is offering to provide free credit monitoring for a year for those whose personal information was stolen. Anyone who fears they may be a victim can also take some proactive steps while they wait for the health department's letter.
"People can freeze their credit," Hudachko said. "People can put fraud alerts on their credit."
UDOH has set up a hotline for information about the data breach: 855-238-3339.
Hudachko said people can enter their Social Security Number in the menu to verify if their personal information was, in fact, compromised.
More information can also be found at health.utah.gov/databreach.