Multiple 'mistakes' led to massive health data breach, director says
Ex-IT chief takes responsibility for 'human error'
Utah State Government
SALT LAKE CITY — New details of what went wrong in a costly health information data breach emerged Wednesday, and for the first time, the man fired over the matter spoke up about the increasing difficulty of his former job.
"There has been a huge increase in the number of attacks against state systems — about a 600 percent increase in the last four months — and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," said Stephen Fletcher, who was director of the state's Department of Technology Services until he was asked to resign on Tuesday.
Fletcher said he agreed with the governor's decision and takes full responsibility for the security breach, as it "took place under my watch."
Mark VanOrden, who was appointed to take over the department, told lawmakers in the Public Utilities and Technology interim committee meeting Wednesday that more than one human error is to blame for the health information of nearly 800,000 Utahns falling into untrusted hands.
"Two, three or four mistakes were made," VanOrden said, adding that it is hard to expect employees to memorize at least 100 pages of policy. "Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords."
Utah's Medicaid Management Information System, which receives eligibility inquiries and billing information from providers, was not protected by a firewall as it was upgrading on March 10, when hackers in Eastern Europe first gained access to the state server.
That server was also installed by an independent contractor more than a year ago, which is not typical protocol for the department, VanOrden said. A process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed, and factory-issued default passwords were still in effect on the server, which is also not "routine."
The final "mistake," he said, is that information stayed on the server for too long and while it was there, it was not encrypted, leaving it vulnerable to hackers who began downloading the sensitive information March 30.
VanOrden said actions are still being reviewed and employees investigated. Rep. Fred Cox, R-West Valley City, questioned management issues within the department, as he had heard of a high turnover rate there in recent months.
Utah Department of Health Director Dr. David Patton said the department has spent a "considerable amount" of money notifying individuals who may have been affected, contracting for customer service telephone hotline services and footing the bill for a free year of credit monitoring services for those whose Social Security numbers were compromised.
About 10 percent of the 280,000 offered the service have signed up so far. The low number is disconcerting to patient advocates and community leaders. But Patton said each person who signs up for the service costs the state $16 per year of credit monitoring.
One year, he said, is the industry standard, as the information "goes stale" after that.
A state data security ombudsman was named Tuesday to address issues faced by the public, and assess the need for additional resources.
- Is 'Speaker Chaffetz' more likely with...
- New Salt Lake County ordinance mandates pet...
- Most wanted fugitive arrested in West Valley...
- Could elephants' 'superhero' cancer guardian...
- Utah man impresses all four judges on 'The...
- Couple charged with stealing Hondas from TRAX...
- Thousands get in on blue foam craze for...
- UVU now the largest university in Utah, new...
- Is 'Speaker Chaffetz' more likely with... 62
- Chaffetz's run for speaker makes... 47
- It's official: Jason Chaffetz to make... 41
- Utah cites Warren Jeffs as reason... 41
- Scholars disagree whether compromise... 33
- Gov. Herbert says latest Medicaid... 26
- Proposal calls for 900 South to be... 19
- LDS Church leaders continue to... 17