Follow-up on Utah Dept. of Health Breach
When it comes to major data breaches, some organizations meet the minimum requirements for notification and then hope for the best while keeping their heads down and trying to sweep away the mess from public view. But the Utah Department of Health is taking a very different approach thatâ€™s worthy of imitation.
On July 26, the department held the first in a series of about a dozen outreach events across the state aimed at helping the public better understand the impact of a March hacking incident. The three-hour evening workshops will be held through August.
But thatâ€™s not the only extraordinary step the state has taken. For example, Gov. Gary Herbert in May appointed consumer healthcare advocate Sheila Walsh-McDonald to the newly created position of health data security ombudsman. Sheâ€™s spearheading the stateâ€™s aggressive outreach efforts, which also include a hotline as well as a website dedicated to the breach. The site includes warnings that individuals should not to be fooled by â€śscammersâ€ť trying to get people to reveal their personal information by phone, text message or e-mail.
â€śWeâ€™re trying to rebuild trust,â€ť Walsh-McDonald says. â€śWe want people to know that weâ€™re making sure data is secure.â€ť
The March breach involved a Utah Department of Technology Services server that stored Medicaid and Childrenâ€™s Health Insurance Program claims data. The state says hackers from Eastern Europe downloaded from the server personal health information on 780,000 individuals, including the Social Security numbers of 280,000. So far, the state has no evidence the information has been used to commit fraud.
Now that public assistance is going on the road in an attempt to reach more people in the state. And thatâ€™s smart because it brings help to people who might be befuddled about the breach, uncomfortable or unable to call the hotline, or just too busy or forgetful to have acted on their own.
The hotline received nearly 4,900 calls in May shortly after the breach was revealed and about 2,600 calls in June. Initially, most calls were from individuals inquiring whether their Social Security numbers were breached. Now, most of the calls are from people requesting replacement copies of lost or destroyed notification letters they had received.
A goal of the workshops is to reinvigorate public interest and get more people signed up for credit monitoring, Walsh-McDonald says. So far, of the 280,000 individuals whose Social Security numbers were breached, only 18 percent have signed up for the monitoring.
Part of the problem with sign up, suspects Walsh-McDonald, is that some people are confused as to whether their Social Security number was actually stolen, since initial reports indicated that the breach affected Medicaid and CHIP beneficiaries, she says. Some people who received breach notification letters from the state with instructions for signing up for credit monitoring thought their letters were sent in error because they arenâ€™t covered by Medicaid or CHIP, Walsh-McDonald says.
â€śMany people threw those letters away,â€ť she says. However, even citizens who arenâ€™t covered by Medicaid or CHIP could have had their Social Security numbers stolen if a healthcare provider previously entered an individualâ€™s data to check Medicaid or CHIP eligibility, she says.
The other 500,000 people affected by the breach didnâ€™t have their Social Security numbers stolen, but did have other personal health information compromised. â€śThat involved less sensitive information,â€ť such as various combinations of personal data, including name, date of birth, address, provider name, and medical billing codes, she explains.
In the aftermath of the breach, the stateâ€™s Department of Technology Services has been ramping up data security. For example, the state now encrypts protected health information in storage as well as when itâ€™s transmitted.
In May, Gov. Herbert shook up Utahâ€™s IT organization, asking for the resignation of the head of DTS and appointing a replacement. The state also hired IT services firm Deloitte and Touche to conduct a forensic analysis and risk assessment of the stateâ€™s servers and storage systems. It also hired a public relations firm thatâ€™s helping with Utahâ€™s data breach communication and public outreach programs.
The state also is tackling such issues as perimeter security, network security, application security, data security, identity management, security controls, network monitoring and intrusion-detection capabilities. And itâ€™s reviewing all security policies and procedures.
While Utah continues to deal with the aftermath of its breach, one thing seems clear: State officials have placed a strong emphasis on outreach to the victims.
We hope other organizations that experience breaches also make outreach a top priority.