State technology chief ousted over health data breach

Published: Tuesday, May 15 2012 3:00 p.m. MDT

J. Stephen Fletcher

, Utah State Government

SALT LAKE CITY — The state's executive director of technology services, Stephen Fletcher, has been terminated over the data breach that compromised personal medical information of an estimated 800,000 Utahns.

Gov. Gary Herbert also said Tuesday two Department of Technology Services employees are under investigation in relation to the mistakes that led to the breach and he pledged the state will find a way to more securely handle confidential data.  

"There needs to be some accountability for the lack of oversight and leadership," Herbert said. "He has not built the kind of system we need going forward," Herbert said, in explaining why he asked Fletcher to step down.

Legislative leaders agreed with Fletcher's forced resignation and said changes need to be made to protect Utahns personal information. Sen. Stuart Reid, R-Ogden, is drafting a bill that would give patients control over how their health insurance details are shared with the government and tightening data security.

"I'm not looking to point fingers. I'm not looking to blame. What I'm looking to do is solve the problem so it doesn't happen in the future," Reid said.

The data breach was detected in March after a server was improperly protected, allowing hackers from Eastern Europe to access the state's Medicaid database. Tuesday's action comes after weeks spent notifying individuals whose information may have been compromised. 

"We know from a review we've done already of this process, that the breach was a direct result of employees who neglected to adhere to and establish security protocols, and in this particular instance, there is just no room for error," Herbert said.

The governor apologized, saying the state has "failed to honor a commitment" to the people who trusted the government to protect personal information. He said much is being done to not only protect those whose information was compromised, but also to correct the action and restore public trust in the system.

"When it comes to the private data that the public gives to our state, we take it very seriously," Herbert said. "This is a responsibility that every employee takes very seriously and certainly I do."

The state has enlisted the help of Deloitte & Touche, an auditing and risk security agency, as well as the London-based law firm of Hogan Lovells, which will assess the way the state has responded to the victims of the breach.

The governor also said technical experts from the public and private sectors are coming together to review the processes in place and develop a plan for the future of data protection within the state.

"This incident is a tragic reminder that it is a different world in which we live," Herbert said, adding that the attack has been personal, as members of his family and those of his staff have been impacted.

Reid said he got involved in drafting legislation after his wife was contacted by the state concerning the loss of information. Other lawmakers said they have been hearing nonstop from angry constituents, who are worried about how their personal information may be used.

"This is a significant issue that demands accountability," House Speaker Becky Lockhart, R-Provo, said. "If I were a person who had been affected, I think I would have had some frustration."

Lockhart said not only do Utahns need reassurance about what happened to their data, they need to know it will be safeguarded in the future. That may require a reassessment of the state's centralized technology services that have been in place since 2005.

Senate President Michael Waddoups, R-Taylorsville, said the state is already spending millions of dollars fixing the problem and for credit monitoring for those affected, and still faces the possibility of federal penalties and a class-action lawsuit.

Waddoups estimated the current cost at less than $10 million.

Try out the new DeseretNews.com design!
try beta learn more
Get The Deseret News Everywhere