SALT LAKE CITY — Health care professionals with expired licenses, including one whose had lapsed nearly four years earlier, accessed Utah's controlled substance database, a new state audit shows.
The state auditor's office found that seven people with expired licenses were able to log in to the secure system between October 2016 and November 2017. Five of them performed searches, with one search being done more than 3 1/2 years after the practioner’s license expired.
The unauthorized access was traced to a bug that prevented the system from verifying the license, according to the audit. The Utah Department of Professional Licensing, which oversees the database, fixed the bug five days after it was detected.
"Privacy protection is important to many Utahns. I am impressed with the proactive steps DOPL has taken to remedy issues identified in the audit," said State Auditor John Dougall.
Dougall said he also is encouraged by DOPL’s willingness to work with the Legislature to define the appropriate retention schedule for personally identifiable information database, adding that excessive retention of personal data can expose Utahns to unnecessary privacy risk.
Utah lawmakers created the controlled substance database in 1995 to track the dispensing of prescription drugs. Access is restricted to 20 categories of people including DOPL employees, licensed medical practitioners and pharmacists.
Registered users include 18,025 health care providers and 2,565 pharmacists, and 1.6 million searches have been performed in the database, according to the audit.
In 2013, police in Cottonwood Heights searched 480 names of Unified Fire Authority firefighters in an effort to investigate a case involving painkillers missing from ambulances. An assistant fire chief who faced criminal charges as a result of the search sued Cottonwood Heights police, claiming a detective obtained his medical history through the database without probable cause or a search warrant.
The case prompted the Legislature to pass a law in 2015 requiring officers to get a search warrant before checking the database.
The audit released Wednesday also found 41 people received database accounts without proper approval, and documentation for five of them was never found. Although only one of those five logged in, each had the ability to do so, according to the audit.
Auditors also found:
• Inadequate password requirements that do not comply with DOPL policy.1 comment on this story
• User accounts are not periodically reviewed for appropriateness.
• Management has not defined activities that should be monitored.
• Inadequate monitoring of user activity.
• Insufficient monitoring of testing documentation for application changes prior to deployment.
• Data retention policy exposes DOPL to unnecessary risk.
In written response to the audit, DOPL Director Mark Steinagel said the department was addressing issues identified in the report. He said the agency has or will adopt all of the audit's recommendations.