This is an archived article that was published on sltrib.com in 2016, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.
Personal information of about 14,200 people — largely current and former Salt Lake County employees — was exposed for 75 days last summer, the district attorney's office has concluded.
But, thanks to a "white-hat hacker searching the Web for data that shouldn't be there," the illicit worker-compensation information apparently was pulled back before anyone else gained access to it, Jeff Rowley, risk manager for the district attorney's office, said in a report to the County Council this week.
"If we're going to have a breach," he added, "this is as good a breach as you can have."
County officials learned of the data breach on Sept. 9 after an industry trade publication, Modern Healthcare, reported 1.5 million records from California, Utah and Kansas were exposed starting June 18.
The breach occurred when Systema Software — a California company that provides claims-administration software to government agencies and private clients to handle worker compensation and auto and property insurance claims — was upgrading its system.
Intermediate storage places for this data, Rowley said, were "set up improperly, and our files were available on the Web."
He said county officials responded quickly after the hacker, Chris Vickery, found them online and reported his discovery to Systema and the proper authorities. At the time, Systema said Vickery "provided written confirmation to the Texas attorney general that he has not shared or used the data inappropriately."
That prompted Councilman Richard Snelgrove to suggest the council offer an "expression of gratitude for what [Vickery] did as a public service."
As soon as the breach was discovered, Rowley said, county officials informed their cyber-insurance carrier, hired a cyber-security company called Kroll to assess the system, sent letters to victims now living in eight states and set up a call center to answer questions.
The county's investigation determined 8,000 people had their "personal identifiers and medical records" breached. Another 6,200 had only their names and contact information exposed.
The county also hired a legal expert in breaches to help it respond properly, Rowley said, noting that exposed employees will receive credit-monitoring and credit-restoration assistance.
The county has paid $88,000 to remedy the situation, mostly for the breach counsel and credit monitoring. Rowley said he expects the bottom line to "grow as people sign up for fraud monitoring — but not a lot more."
He also foresees the county receiving reimbursement for most of these expenses from the contractor.