Utah Governor Calls For Audit of All State Technology Security and Data Storage Procedures Following Medicaid Data Breach
Following a recent data breach of a Utah Department of Technology Services (DTS) server that contained Medicaid patient information and exposed almost 800,000 individuals, Utah Governor Gary R. Herbert called for a comprehensive audit of all state technology security and data storage procedures.
When first announced early this month, Utah’s Department of Health initially reported that about 24,000 individuals were affected, but subsequent updates from the Department showed that the number was significantly higher and is now estimated to affect total of approximately 280,000 victims who had their Social Security numbers stolen and approximately 500,000 other victims who had less-sensitive personal information stolen.
“Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised,” Governor said. “DTS is doing everything they can to restore security. Now we must do everything we can to restore trust. Toward that aim, I am calling for an independent audit of all DTS security and data storage procedures and protocols.”
“Our immediate priority is to protect those whose personal information has been exposed. Therefore, we will continue to work with law enforcement, including the FBI, to find the criminals responsible.” he continued. “We have mobilized all available resources and personnel in an ‘all hands on deck, around the clock’ response until every victim is identified and notified. Rest assured, we are working to ensure it never happens again.”
“You can put all the locks on a house that you need, but if a thief chooses to look under your doormat for a front door key, he can easily enter and rob you blind,” said Robert Siciliano, an online security evangelist for McAfee. “While we do not have all of the specific details of the incident in Salt Lake City, it appears that the systems in question had the encryption measures required, but that a single user’s weak password could have provided access to these sensitive records. This is another reminder that the failure to implement organizational security policies is, in itself, a weak link in IT security.”