Utah Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Utah has transformed from a primarily resource-based economy into one of the nation's most dynamic technology hubs. The Silicon Slopes corridor stretching from Salt Lake City through Provo has attracted hundreds of technology companies, from enterprise software firms like Qualtrics and Pluralsight to cybersecurity startups. Combined with a major healthcare sector anchored by Intermountain Health and the University of Utah Health system, plus the federal government's significant presence through Hill Air Force Base and the NSA Utah Data Center in Bluffdale, the state presents a diverse and high-value target for cyber adversaries.

The incidents documented below represent real breaches that have affected Utah organizations across sectors. Each case carries lessons about vulnerabilities that persist in many organizations today. Understanding this history is essential for any Utah business building or refining its cybersecurity program. For a broader analysis of the risks facing Utah businesses, see our Utah cyber threat landscape report.

Major Cyber Incidents in Utah: A Timeline

2012 — Utah Department of Health Data Breach

In March 2012, a breach of the Utah Department of Health's Medicaid claims server exposed the personal information of approximately 780,000 individuals, including Social Security numbers for roughly 280,000 of those affected. Eastern European hackers exploited a misconfigured authentication system on a server maintained by the state's Department of Technology Services. The breach prompted a comprehensive overhaul of the state's cybersecurity infrastructure and led to the creation of a dedicated state cybersecurity office. The incident remains one of the largest government data breaches in Utah history.

2014 — Utah Department of Workforce Services Incident

The Utah Department of Workforce Services experienced a data security incident that exposed personal information of individuals who had filed unemployment claims. The breach involved unauthorized access to a database containing names, Social Security numbers, and employment histories. The incident prompted the department to implement additional access controls and monitoring for its systems handling sensitive employment data.

2016 — University of Utah Hospital Billing Breach

University of Utah Health disclosed a breach involving an employee's email account that was compromised through a phishing attack. The account contained billing and patient information including names, dates of birth, medical record numbers, and in some cases Social Security numbers and clinical information. The breach affected approximately 4,000 patients and led the health system to implement phishing-resistant multi-factor authentication for all email accounts.

2020 — University of Utah Ransomware Attack

In August 2020, the University of Utah paid $457,000 to a ransomware gang after attackers encrypted data on servers within the university's College of Social and Behavioral Science. The university stated that a small percentage of data was exfiltrated before encryption, including employee and student information. The decision to pay was made to prevent the public release of stolen data. The incident highlighted the difficult calculus organizations face when threat actors combine encryption with data exfiltration for double extortion.

2021 — Utah Imaging Associates Breach

Utah Imaging Associates, a medical imaging provider serving multiple healthcare facilities in the Salt Lake City area, disclosed a data breach after discovering unauthorized access to its systems. The breach exposed patient information including names, dates of birth, Social Security numbers, health insurance information, and medical imaging results. Approximately 583,000 individuals were affected, making it one of the largest healthcare breaches in Utah history.

2022 — Strata Oncology / Utah Cancer Specialists Supply Chain Incident

Multiple Utah oncology practices were affected by a data breach at a third-party vendor that provided clinical trial matching services. The breach exposed patient names, dates of birth, diagnosis information, and genomic testing results. The incident demonstrated the supply chain risk inherent in healthcare technology partnerships, where sensitive clinical data flows through multiple connected systems beyond the direct control of the treating provider.

2023 — Xactware Solutions / Verisk Data Incident

Xactware Solutions, a Verisk subsidiary headquartered in Orem, Utah, that provides property claims estimation software to the insurance industry, was identified as among the organizations affected by the MOVEit Transfer vulnerability exploitation. The incident potentially exposed data related to insurance claims processed through the platform. Given Xactware's central role in the property insurance ecosystem, the breach had implications far beyond Utah's borders.

2024 — Intermountain Health Vendor Data Exposure

Intermountain Health, Utah's largest healthcare system, notified patients that a third-party vendor had experienced a data incident that exposed patient information. The affected data included names, dates of birth, medical record numbers, and limited clinical information. Intermountain stated that its own systems were not compromised but that the vendor's security controls had been insufficient. The incident reinforced the importance of rigorous vendor risk management programs in healthcare.

Utah's Data Breach Notification Law

Utah's data breach notification requirements are codified in the Protection of Personal Information Act, Utah Code Sections 13-44-101 through 13-44-301. The law requires any person who owns or licenses computerized personal information of Utah residents to notify affected individuals within 60 days of discovering a breach. If the breach affects 500 or more Utah residents, the business must also notify the Utah Attorney General.

Personal information under the statute includes a person's name combined with Social Security numbers, driver's license numbers, financial account numbers with access credentials, or medical information. Utah also provides a safe harbor for organizations that maintain and comply with their own breach notification procedures, provided those procedures are at least as protective as the statutory requirements. For a detailed overview of Utah's full regulatory framework, see our Utah cybersecurity compliance guide.

Which Utah Industries Are Most Targeted?

Technology (Silicon Slopes)

Utah's technology sector has grown rapidly, with over 7,000 technology companies operating in the state. These companies hold valuable intellectual property, customer data, and in many cases provide software-as-a-service platforms that serve as critical infrastructure for their customers. A breach at a Utah SaaS company can cascade to thousands of downstream customers nationwide. Small tech businesses in the Silicon Slopes corridor face particular pressure to scale rapidly, sometimes at the expense of security maturity.

Healthcare

Intermountain Health, University of Utah Health, and Steward Health Care's Utah operations process enormous volumes of protected health information. Utah's healthcare sector faces the full spectrum of cyber threats, from ransomware designed to extort payment through system lockouts to data exfiltration targeting high-value patient records for identity theft and insurance fraud.

Government and Defense

The NSA Utah Data Center in Bluffdale, Hill Air Force Base in Ogden, and the Dugway Proving Ground represent significant federal government presence. While these facilities maintain their own security apparatus, the broader ecosystem of defense contractors and government service providers across Utah creates a large attack surface for nation-state adversaries and espionage-motivated threat actors.

Financial Services

Utah's financial services sector, including Goldman Sachs' significant Salt Lake City operations, Zions Bancorporation, and a growing fintech ecosystem, holds customer financial data that is consistently targeted by cybercriminals for fraud and identity theft.

What Utah Businesses Must Do After a Breach

Utah businesses that experience a data breach must act within the 60-day notification window established by state law. The process begins with containment — isolating affected systems, revoking compromised credentials, and preserving forensic evidence. A forensic investigation should determine the scope of the breach, identify the attack vector, and assess what data was accessed or exfiltrated.

If the breach affects 500 or more Utah residents, the organization must notify the Utah Attorney General's office in addition to affected individuals. Notification should include a description of the incident, the types of information compromised, and steps individuals can take to protect themselves. Organizations with managed IT security services in place typically detect and contain breaches faster, reducing both the operational impact and legal exposure.

How to Protect Your Utah Business Before an Incident

Utah businesses should implement a defense-in-depth strategy that addresses the state's specific threat landscape. Given the prominence of supply chain attacks in Utah's incident history, vendor risk management deserves particular attention. Organizations should require security assessments of critical vendors, include breach notification provisions in contracts, and limit the data shared with third parties to what is strictly necessary.

Understanding what managed IT services include can help Utah businesses, particularly growing tech companies and healthcare practices, determine which security functions to build in-house versus outsource. Core protections that every Utah business should have in place include:

• Multi-factor authentication on all email, cloud, and administrative accounts

• Endpoint detection and response (EDR) across all devices

• Vendor risk management program with security assessments for all critical third parties

• Regular penetration testing at least annually, with more frequent testing for tech companies

• Incident response plan documented, tested, and updated annually

• Employee security training with quarterly phishing simulations

Frequently Asked Questions

What is Utah's data breach notification deadline?

Utah law requires businesses to notify affected individuals within 60 days of discovering a data breach. If the breach affects 500 or more Utah residents, the business must also notify the Utah Attorney General within the same timeframe.

Has Utah been the target of nation-state cyberattacks?

Utah's significant federal government and defense presence — including the NSA Utah Data Center, Hill Air Force Base, and multiple national defense contractors — makes the state a target for nation-state adversaries. While specific classified incidents are not publicly disclosed, the broader defense supply chain in Utah faces persistent espionage threats from state-sponsored groups.

How does Utah's tech sector concentration affect cybersecurity risk?

Utah's Silicon Slopes corridor contains over 7,000 technology companies, many of which provide SaaS platforms used by businesses nationwide. A breach at a Utah SaaS company can cascade to thousands of downstream customers, making the state's tech concentration a significant source of both local and national cyber risk.

What is the NSA Utah Data Center's impact on local cybersecurity?

The NSA Utah Data Center in Bluffdale is a classified intelligence facility that processes and stores surveillance data. While the facility itself maintains military-grade security, its presence elevates the cyber threat profile for the surrounding ecosystem of defense contractors, technology vendors, and government service providers in Utah.

Are Utah healthcare organizations particularly vulnerable to cyberattacks?

Yes. Utah healthcare organizations have experienced several significant breaches, including the Utah Imaging Associates incident affecting 583,000 individuals. The sector's combination of high-value patient data, complex interconnected systems, and life-safety pressure to restore operations quickly makes it an attractive target for ransomware and data theft.

What can Utah small businesses do to improve cybersecurity on a limited budget?

Utah small businesses should prioritize multi-factor authentication, employee phishing awareness training, regular software patching, and encrypted backups. Managed IT service providers offer affordable security monitoring and incident response capabilities that would be cost-prohibitive to build in-house. Cyber insurance can also offset breach-related expenses for small businesses operating with limited reserves.