SALT LAKE CITY — A data breach within the Utah Department of Health in 2012 that compromised personal information of 780,000 Utahns has not been linked to any cases of identify theft, state lawmakers were told Thursday.
David Patton, executive director of the Utah Department of Health, updated a legislative committee on the agency’s response to the data breach, which included personal information of people on Medicaid, retirees on Medicare, people who are privately insured and others who are uninsured. The information contained some 280,000 Social Security numbers.
Patton said there were 37 incidents in which people raised questions whether the breach was tied to identity theft. That was later winnowed down to four possible connections. But after further review, it was determined the issues were not directly tied to the breach, Patton said.
In March 2012, hackers accessed data from a Medicaid server. Since then, the state has provided credit monitoring, conducted community meetings and spent hundreds of thousands of dollars on security experts and enhancements. Between the health department and Department of Technology Services, some $9 million has been spent enhancing security of state data systems since the breach.
Earlier this year, the Utah Legislature appropriated an additional $300,000 to the health department to improve its internal data security.
Patton, appearing before the Utah Legislature’s Social Services Appropriations Subcommittee, reported that the department had hired the equivalent of 2.5 employees to address security issues.
Francesca Lanier, the Utah Department of Health's data security manager, said the department has put a number of safeguards in place in the past 12 months to head off ongoing attempts to infiltrate state data systems. The department has also improved training to help ensure the security of its 182 data systems.
“With your support, we will continue to work diligently to put in place comprehensive security systems so we can meet this obligation to the public,” she said.
Mark VanOrden, the state’s chief information officer and executive director of the Department of Technology Services, said data systems managed by the state are subjected to millions of attempted cyber attacks daily.
At the start of the Legislature’s 2013 general session, the state was dealing with 20 million attacks a day, he said. By the end of the 45-day general session, the number exceeded 40 million.
One day in July, the state experienced more than 300 million attacks.
“These attacks become more and more sophisticated so we need to keep training our people and stay on top of this,” he said, explaining that the department works around the clock to protect the state's data systems.