Multiple 'mistakes' led to massive health data breach, director says

Read more: Security breach of state health data expands, affecting more than 700,000 people

Read more: Medicaid breach draws anger and more words of warning

Read more: State technology chief ousted over health data breach

SALT LAKE CITY — New details of what went wrong in a costly health information data breach emerged Wednesday, and for the first time, the man fired over the matter spoke up about the increasing difficulty of his former job.

"There has been a huge increase in the number of attacks against state systems — about a 600 percent increase in the last four months — and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," said Stephen Fletcher, who was director of the state's Department of Technology Services until he was asked to resign on Tuesday.

Fletcher said he agreed with the governor's decision and takes full responsibility for the security breach, as it "took place under my watch."

Mark VanOrden, who was appointed to take over the department, told lawmakers in the Public Utilities and Technology interim committee meeting Wednesday that more than one human error is to blame for the health information of nearly 800,000 Utahns falling into untrusted hands.

"Two, three or four mistakes were made," VanOrden said, adding that it is hard to expect employees to memorize at least 100 pages of policy. "Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords."

Utah's Medicaid Management Information System, which receives eligibility inquiries and billing information from providers, was not protected by a firewall as it was upgrading on March 10, when hackers in Eastern Europe first gained access to the state server.

That server was also installed by an independent contractor more than a year ago, which is not typical protocol for the department, VanOrden said. A process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed, and factory-issued default passwords were still in effect on the server, which is also not "routine."

The final "mistake," he said, is that information stayed on the server for too long and while it was there, it was not encrypted, leaving it vulnerable to hackers who began downloading the sensitive information March 30.

VanOrden said actions are still being reviewed and employees investigated. Rep. Fred Cox, R-West Valley City, questioned management issues within the department, as he had heard of a high turnover rate there in recent months.

Utah Department of Health Director Dr. David Patton said the department has spent a "considerable amount" of money notifying individuals who may have been affected, contracting for customer service telephone hotline services and footing the bill for a free year of credit monitoring services for those whose Social Security numbers were compromised.

About 10 percent of the 280,000 offered the service have signed up so far. The low number is disconcerting to patient advocates and community leaders. But Patton said each person who signs up for the service costs the state $16 per year of credit monitoring.

One year, he said, is the industry standard, as the information "goes stale" after that.

A state data security ombudsman was named Tuesday to address issues faced by the public, and assess the need for additional resources.