I think the protocols need to be strengthened. This was more than just a misconfigured server, it was also a lack of things like encryption and proper internal access control. —University of Utah computing professor Matt Might
SALT LAKE CITY — There aren't many breaches of secure information large enough to report to the U.S. Department of Health and Human Services, but when they do happen, there is little recourse for individuals who are affected.
The only possible remedy would come from enforcement of a violation of the Health Information Portability and Accountability Act, if one is substantiated in the first place, according to Tenielle Brown, an associate professor at the University of Utah's S.J. Quinney College of Law.
In Utah, action would have to be taken by the state's attorney general or the federal Office for Civil Rights.
"Of the two parts of the HIPAA rule, the privacy rule is trying to get at that unauthorized disclosure of patient medical records," Brown said. "It doesn't appear to be what happened in this case. It appears it was a security breach just by failing to have adequate safeguards in place."
In the case of Utah's recent Medicaid information breach — in which the health information of approximately 780,000 Utahns, including potentially 255,000 Social Security numbers, was compromised — individuals would have to prove financial harm, which might take years to realize, Brown said.
"It's unsatisfying to have to wait that long and then bring it through the often lengthy court process as well," she said, adding that the biggest effect of last week's breach might be loss of public trust in the Medicaid system.
"There aren't alternatives to providing these services," Brown said. Private information is pertinent to obtaining health insurance and medical care. "You have to give up that information."
It is possible that Utah may incur fines for not securing the information properly, up to $1,000 per record that was compromised. But Brown said it is a long shot for any person to go after the state themselves.
"A person would have to show that there was something reckless done by the state," she said. "And it doesn't sound intentional in this case."
Only violations affecting more than 500 people get reported to the federal government and the last reported offense occurred in Indiana, where health information of 20,000 people was presumed stolen. Utah's breach isn't the largest in the country, but ranks up there with some of the most substantial in history.
It is, however, the most extensive case ever to occur within the state.
"I think the protocols need to be strengthened," said University of Utah computing professor Matt Might. "This was more than just a misconfigured server, it was also a lack of things like encryption and proper internal access control."
Hackers traced to an Internet protocol address in Eastern Europe are suspected to have accessed the state's information during a time of particular vulnerability, late in the day on March 30. Medicaid information is housed on any one of 125 of the state's 520 networked servers that is used by the Utah Department of Health.
Might said the supposed infiltrators are likely specialized information thieves and the information they retrieved will or already has been sold on the black market, "which is huge for this sort of thing."
In addition to applying for credit cards, individuals who are familiar with the value of such personal information, he said, could likely use it to help illegal immigrants file for employment, file fraudulent tax returns and purport Medicare and Medicaid fraud, which is already a $50 billion problem in the U.S.
"Once it's out there, it's out there," Might said. "You could put a fraud alert on your credit report, but that's all you can do."
Fortunately, the immediate vulnerabilities of the breached system, and perhaps others, have been closed, but he hopes the state has learned its lesson.
"This is a major wake-up call to everyone," Might said.
The health department is currently attempting to contact any affected individuals via official letterhead, mailed to the homes of those whose information was involved in the breach. Rumors of scams have already come to light, as people are being contacted by phone and text, as well as emails, regarding the compromised information.
"Crooks watch the news as well as the good guys. We want to make sure we don't have any more victims," said Francine Giani, director of the Utah Department of Commerce. She said any contact regarding the situation will come directly from the UDOH.
"We want to make sure we take care of those people whose names and information has been out there," Giani said, adding that it is possible that some people may end up needing new Social Security numbers when all is said and done, which she admitted, is "a little bit of a bother."
Giani said that regardless of this information breach, everyone should keep an eye on their credit reports, at least once every couple of years, "to make sure everything is accurate and correct."
The state is offering to cover the costs of up to a year of credit monitoring services for each person impacted. More information can be found online, at www.health.utah.gov. An information hotline is also available, by calling 1-855-238-3339, toll-free.
Contributing: John Daley
E-mail: [email protected]