Security Experts:

Utah's IT Boss Resigns After Massive Data Breach and Policy Failure

Stephen Fletcher, the executive director of Utah’s Dept. of Technology Services (DTS), has resigned following the aftermath of a massive data breach earlier this year that exposed nearly one million people, including children. The staffing changes come after preliminary investigations exposed serious flaws within the state’s IT practices, including storing information that shouldn’t have been kept at all.

In April, SecurityWeek reported on the news that Utah’s Department of Health (UDOH) had alerted parents and patients to the fact that a data breach that was initially said to have impacted only 24,000 records, had in fact impacted181,604 people. Within 24-hours of that announcement, the numbers were changed again. This time, the UDOH said that the attackers compromised 780,000 records, including 280,000 records that contained Social Security Numbers.

The attackers hit a server that stored Medicaid claims and Children’s Health Insurance Plan (CHIP) data. Typically, the UDOH explained at the time, claims stored on servers like the one breached could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes.

Subsequent investigations into the breach discovered that the claims targeted and eventually compromised shouldn’t have been there at all, at least not in the volume that they were. The total number of records compromised was the direct result of a failure to follow department policy and security controls.

The records themselves existed because a healthcare provider had submitted the data through the UDOH servers in order to confirm coverage under Medicaid and CHIP. The process is called an inquiry, and there are strict controls in place to guard the data. Unfortunately for the patients, it wasn’t adhered to.

The executive director of Utah’s Department of Health, David Patton, told victims at a community forum on May 1 that the compromised records had been on the server for more than three months, when in fact the information “should have been deleted the day after the inquiry.”

“The data should not have been there when it was compromised,” he added.

In addition to Stephen Fletcher stepping down from his position, other actions in the aftermath of the breach include the hiring of a PR firm to handle crisis communications and rebuild trust with the public, and the appointment of Deloitte & Touche to do a security audit along side the sate’s own internal audit.

[The crisis PR RFP can be seen here.] 

"The compromise of even one person's private information is a completely unacceptable breach of trust," said Governor Gary R. Herbert in a statement.

"The people of Utah rightly believe that their government will protect them, their families and their personal data. As a state government, we failed to honor that commitment. For that, as your Governor and as an Utahn, I am deeply sorry."

Mark VanOrden has been moved to acting director of DTS, he’s an IT veteran with 28-years under his belt. In addition, Governor Herbert's appointed Sheila Walsh-McDonald as the new Health Data Security Ombudman.

Utah State Senate President, Michael Waddoups, said that he expected the cost of the response to the data breach to run between 2 and 10 million dollars, more if the state faces lawsuits and fines.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.