Utah data breach leads to CTO resignation, multi-pronged response

In the wake of a data breach that impacted almost 800,000 Utah residents, the state has begun a multi-pronged response including the resignation of the state’s chief technology officer (CTO).

On March 30, hackers broke into a Medicaid eligibility server and stole the online health records of about 780,000 Medicaid recipients and participants in the Children’s Health Insurance Program, including the Social Security numbers of about 280,000 of them, according to information published on the official Utah state website.

Officials say security tools on the computer server were installed improperly. Medical clinics used the server to validate claims of retirees on Medicaid and others. Some data were said to be indecipherable or disconnected from a name, making it hard to assess the full damage. State officials have said the information should have been deleted from the server once a claim was validated, and should not have been retained as records.

In a May 15 press conference, Utah Governor Gary R. Herbert detailed the state’s response to the data breach which includes a full-scale, independent audit of technology security systems, the appointment of a new health data security ombudsman, investigation by law enforcement and personnel action.

“The state of Utah must restore the trust placed in it,” Herbert said.“Cyber-security is the modern battlefront and we are all enlisted—you, me, our state agencies, the legislature—all of us have a critical role to play.”

The March 30 unauthorized transfer of personal files from state servers was an isolated incident, Herbert said as he apologized to the victims. “The compromise of even one person’s private information is a completely unacceptable breach of trust.”

A comprehensive, independent security audit of information technology systems, both for this incident and across all agencies, is underway, according to the governor’s office, as is an assessment of the state’s response to victims.

Herbert has appointed Sheila Walsh-McDonald as the new Health Data Security Ombudsman. She will oversee individual case management, credit counseling and public outreach.

The governor also announced the resignation of Stephen Fletcher, executive director of the Department of Technology Services (DTS), and the subsequent appointment of 28-year IT veteran Mark VanOrden as acting director of DTS. VanOrden is the IT director for the Utah Department of Workforce Services.

The state also will hire a public relations firm to handle crisis communications and offer free credit monitoring to the victims.