SALT LAKE CITY — New details of what went wrong in a costly health information data breach emerged Wednesday, and for the first time, the man fired over the matter spoke up about the increasing difficulty of his former job.
"There has been a huge increase in the number of attacks against state systems — about a 600 percent increase in the last four months — and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," said Stephen Fletcher, who was director of the state's Department of Technology Services until he was asked to resign on Tuesday.
Fletcher said he agreed with the governor's decision and takes full responsibility for the security breach, as it "took place under my watch."
Mark VanOrden, who was appointed to take over the department, told lawmakers in the Public Utilities and Technology interim committee meeting Wednesday that more than one human error is to blame for the health information of nearly 800,000 Utahns falling into untrusted hands.
"Two, three or four mistakes were made," VanOrden said, adding that it is hard to expect employees to memorize at least 100 pages of policy. "Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords."
Utah's Medicaid Management Information System, which receives eligibility inquiries and billing information from providers, was not protected by a firewall as it was upgrading on March 10, when hackers in Eastern Europe first gained access to the state server.
That server was also installed by an independent contractor more than a year ago, which is not typical protocol for the department, VanOrden said. A process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed, and factory-issued default passwords were still in effect on the server, which is also not "routine."
The final "mistake," he said, is that information stayed on the server for too long and while it was there, it was not encrypted, leaving it vulnerable to hackers who began downloading the sensitive information March 30.
VanOrden said actions are still being reviewed and employees investigated. Rep. Fred Cox, R-West Valley City, questioned management issues within the department, as he had heard of a high turnover rate there in recent months.
Utah Department of Health Director Dr. David Patton said the department has spent a "considerable amount" of money notifying individuals who may have been affected, contracting for customer service telephone hotline services and footing the bill for a free year of credit monitoring services for those whose Social Security numbers were compromised.
About 10 percent of the 280,000 offered the service have signed up so far. The low number is disconcerting to patient advocates and community leaders. But Patton said each person who signs up for the service costs the state $16 per year of credit monitoring.
One year, he said, is the industry standard, as the information "goes stale" after that.
A state data security ombudsman was named Tuesday to address issues faced by the public, and assess the need for additional resources.
"My initial focus will be working with the victims impacted in the breach, but in the long term, we know it is about rebuilding that public trust," said ombudsman Sheila Walsh-McDonald. "We have so many programs that are so dependent on sensitive health data and we need to gather and secure that data in order for those programs to be successful."
So far, there have been no reports of misuse of the ill-gotten information.
Officials are also working with the state's federal delegation to make replacement of a person's Social Security number less complicated than it is now, Patton said.
Moving forward, VanOrden, a veteran IT director who formerly worked with the Department of Workforce Services, said he will tighten security among personnel, including a possible checklist for any time a change is made to information stored on any one of the state's 2,000 servers and immediate termination for anyone who accesses information not pertinent to their jobs.
Such protocols were put into place while he was at DWS.
Fletcher, who was given an "appropriate" severance package after seven years with the agency, said the department should not be judged by this one "very significant" error that has had widespread impact, although he "takes that very seriously."
"There are a lot of bad guys out there trying to get access to these systems, so you have to be very, very vigilant," he said. "In the past seven years, the department has provided significant cost savings of over $75 million in the reduction of operating costs, increased online services over 30 percent, added new services, aligned very well with agencies, provided great accountability and service levels, and increased customer service satisfaction in all our services."2 comments on this story
Patton said the incident has been educational, that much of what is being learned from the experience can be used to enhance the security of the state's other agencies as well as the health department.
"We have a lot of data … and that data has some very sensitive information and it does need to be protected," he said, adding that state leaders need to continue its monitoring and oversight of the technology department "to make sure we don't slip back into complacency and that we're diligent and vigilant in how we handle our security in the future."