A Comprehensive State Response to Data Breach
By Governor Gary R. Herbert
Remarks given on May 15, 2012, regarding the Medicaid data breach
On April 2 my office was notified of an information breach of health data on a server managed by the Department of Technology Services (DTS). The server contained both Medicaid and Children’s Health Insurance Program (CHIP) data. During the initial investigation, DTS discovered data from eligibility inquiries was also stored on the server. Those inquiries were sent from health care providers, or third-party billing entities, to determine if patients were enrolled in Medicaid, but those patients may not necessarily be Medicaid or CHIP clients.
The breach occurred March 10 due to an error at the password authentication level, allowing the hacker to circumvent the security system. The unauthorized transfer of information appears to have occurred March 30. During the breach, hundreds of thousands of Utahns—and even individuals outside of Utah—had their Social Security numbers and miscellaneous pieces of personal information compromised by hackers originating in Eastern Europe. As soon as the breach was discovered, DTS immediately shut down the server, the Department of Health began efforts to notify victims and the FBI began an investigation.
We are now able to confirm that this was an isolated incident. Furthermore, personal financial information,
such as bank account numbers or credit card numbers, were NOT stored on the affected server and would NOT have been compromised during the attack. The most sensitive information stored on the server was individual’s Social Security numbers (SSNs). Approximately 280,000 people had their SSNs stolen off the server. Other less sensitive information, such as names, dates of birth, and addresses was also stored on the server. Initially, it appeared that as many as 500,000 additional individuals may have had this less sensitive information compromised. However, because so much data was duplicate information, there are fewer victims than originally believed.
However, the compromise of even one person’s private information is a completely unacceptable breach of TRUST. The people of Utah rightly believe that their government will PROTECT them, their families and their personal data.
As a state government, we failed to honor that commitment. For that, as your Governor and as a Utahn, I am deeply sorry. I recognize the tremendous uncertainty and anxiety this episode has created for so many people across our state.
Protect and restore trust
As I have stated repeatedly, the State of Utah must restore the trust placed in it. From the onset, the State’s efforts have been to protect possible victims.
In that vein, the State engaged the media to get the word out and launched a hotline (1-855-238-3339) for information and referral and updated the Department of Health’s website to provide as much information as possible. While the State has no evidence that the compromised data has been misused, the Department of Health notified impacted individuals by mail as soon as positive identities and mailing addresses could be confirmed. Those individuals were offered one year of free credit monitoring through Experian, one of the major credit monitoring companies.
The service for adults is called ProtectMyID, and the service for households with children whose Social Security Numbers were stolen is called Family Secure. Enrollment in either of these programs includes an insurance policy
that will protect an individual from bearing certain costs if they become a victim of identity theft. The value of those programs is up to $1 million for individuals and up to $2 million for families.
At this point, I want to stop and strongly encourage all individuals whose Social Security numbers were stolen to please take advantage of this free, valuable service and enroll as soon as possible. If an individual has received the official letter from the Department of Health, they must enroll before August 31, 2012. Enrollment entails providing an activation code included on the letter and includes:
1. A free credit report
2. Daily credit monitoring
3. Identity theft resolution
4. $1 million of identity theft insurance for any possible identity theft damages related to this incident.
If anyone has any difficulty understanding the letter or process, they should call the hotline number. Also, if you are the parent or guardian of a minor, please be aware the Attorney General’s Office now offers the Child’s Identity Protection (CIP) program to help prevent identity thieves from using a child’s information in the issuance of credit.
CIP provides Utah parents and guardians a free and secure process to enroll a child’s information with TransUnion, a national credit reporting company. The child’s information will remain in the High Risk Fraud database until the child’s 17th birthday, when it is automatically removed. More information about the Child’s Identity Protection (CIP) program is available at cip.utah.gov.
The State has also been engaged in public forums and community outreach to provide assistance and information. Concurrently, the Department of Technology Services launched a full-scale review of security on all information systems statewide. Health Medicaid Claims data are now encrypted when data is at rest behind multiple layers of security on state systems, and not only when in transit.
And while this was happening, I called for a comprehensive, independent security audit of information technology systems—not only for this episode, but across all agencies. For that audit, the State of Utah has retained Deloitte & Touche, a respected and recognized global leader in risk, security and privacy services, and the team from Deloitte has now begun its work. Throughout their assessment, Deloitte will provide the State of Utah with recommendations on how we can better protect Utahns and their personal information going forward.
We are also taking a closer look at our response to victims, as we want to provide the best service possible to protect private data and help individuals going forward. For that review, we are contracting with Hogan Lovells to first assess our efforts in relation to the Health Insurance Portability and Accountability Act, ensure any potential harm to victims is minimized, and then develop mitigation plans for enhanced privacy and security policies. Furthermore, we will engage the Digital Health Services Commission going forward as technical experts to assist in our review of process and solutions.
When it comes to private data, the State of Utah –that includes every one of its employees—must take that responsibility very seriously. And frankly, we generally perform at a very high level. But as we know from this incident, this breach was the direct result of employees who neglected to adhere to established security protocols.
Simply put: There is no room for error. That is why we have redundancy and quality control processes—to ensure error does not occur. In this incident, process was clearly not followed.
Consequently, after my initial review, I find personnel action is warranted at this time. As is appropriate within state employee processes, two personnel are now being reviewed for corrective action or termination. And based on what I believe was inadequate oversight of this incident and the agency, I have requested and received the resignation of the executive director of the Department of Technology Services.
I have asked Mark VanOrden, IT director at the Department of Workforce Services (DWS), to serve as interim director at DTS and to fully cooperate with Deloitte in their independent review of the agency. A recipient of the notable Merrill Baumgardner award for excellence, Mark is a 28-year veteran of the State’s IT force, and has overseen the development of five major products for DWS. Mark is known for his ability to “think outside the box,” with a combination of management and technical skills. Right now, I am counting on and am confident in his ability to pull the DTS team together to focus on optimizing the value of Deloitte’s audits and our efforts to rebuild public trust in our IT systems and processes.
You may be interested to know that we have been told by law enforcement that cyber attacks on public information systems have increased by 600% this year. Cyber terrorists and hackers try to access our state systems a million times per day. We have been generally successful in thwarting those attempts and we will remain vigilant in our effort to ensure Utah’s state security is rock solid. In fact, we are committed to enhancing our IT systems and processes to ensure an even more secure IT environment.
But I want justice for the people of Utah—for the potential impact to individual lives and families, as well as the brazen theft from a governmental entity. So we will remain engaged with the FBI and local law enforcement as they move forward with the investigation and as they work directly with the East European government in a cooperative effort to identify the thief or thieves who did this. The reality is that we have been told this could be a prolonged process and this type of criminal can prove difficult to apprehend. But the people of Utah have my commitment to see this through. I assure you, the State of Utah will exhaust every option available to bring these criminals to justice.
Health Data Security Ombudsman
In addition to our ongoing efforts, including audits and investigation, today I announce the appointment of a HEALTH DATA SECURITY OMBUDSMAN. The ombudsman will coordinate three critical components of Utah’s public response to this incident:
1- Individual case management for victims and families
2- Credit counseling and identity theft resources
3- Public outreach and stakeholder collaboration
I am honored and delighted to announce the appointment of Sheila Walsh-McDonald as director of the Health Data Security Ombudsman Office. Sheila will report directly to the executive director of the Utah Department of Health, Dr. David Patton. They are both here with us today.
Sheila is a trusted and experienced member of the public health and advocacy community, having dedicated her 33-year professional career to working on behalf of Utah’s disparate populations, with a focus on improving and strengthening the public and private programs that serve them. She earned her Bachelor of Social Work at Temple University in Philadelphia, Pennsylvania, graduating Cum Laude and completed her Master of Social Work at the University of Utah, with an emphasis on community organization and public policy. The vast majority of her career has been spent at the Salt Lake Community Action Program and, I can tell you, Sheila is both known and well-respected on Utah’s Capitol Hill. As a health care, welfare reform, and homeless advocate, Sheila has worked closely with state agencies to assure the best policies are implemented to help low-income families and individuals become self-sufficient. Her office will be located alongside Dr. Patton, on the 4th floor of the Cannon Building in Salt Lake City. Sheila will focus on case management, credit counseling and community outreach.
There remain many unanswered questions, but as we move forward, we will remain focused on our objective to restore trust. We will only do that successfully when our systems are secure and our citizens and their credit are safe. We will continue to work with medical providers to address in practical ways how we can ensure their business needs are met without jeopardizing individual identities or security. We are committed to work with legislators to address both the costs associated with this incident, as well as possible statutory remedies that may be warranted.
A Note of Caution
It is imperative that I provide a strong word of caution at this time. We must all take heed and beware of scammers. There are those who will prey on the vulnerable and ill-informed. To the people of Utah, please know that NO ONE from the State will contact you and ask for information over the phone or via email regarding this incident. I strongly recommend that you do not provide private information, especially not a Social Security Number or account information, in response to a phone call or email you DID NOT initiate. This incident is a tragic reminder that it is a different world in which we live. The dynamics continue to change and there is a very real and growing cyber risk.
As I conclude, let me reiterate: The State’s driving objective is to restore trust in the government of the State of Utah. This news is unsettling. It’s stressful. It’s personal. In fact, I have family members who received a letter from the Dept. of Health. The Lt. Governor received a letter. Family members of my staff received letters. For me, this IS personal. It significantly affects the people of Utah and thousands of families statewide. Because I am your Governor, THAT makes it personal.
Please be assured that the personnel for the State of Utah are not only reviewing what happened. We are not only sorry it happened. We are identifying the best ways to make sure it does not happen again. Cyber-security is the modern battlefront and we are all enlisted—you, me, our state agencies, the Legislature—all of us have a critical role to play. As the citizens of this great state do our part to protect ourselves and our families, the State of Utah is committed to do its part better.