This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

The hacking of a Utah server containing Medicaid data has exposed a weakness — and a double-standard — in how the state handles sensitive health information.

The hacking of a Utah server containing Medicaid data has exposed a weakness — and a double-standard — in how the state handles sensitive health information.

Officials blame the March 30 pilfering on human error. A state Department of Technology Services employee didn't follow protocol when placing a test server online and hackers exploited a weak password, they said.

But the stolen data weren't encrypted, an oversight that may have been in violation of a federal law and that officials on Thursday said they will explore remedying. In jeopardy is the personal information of 780,000 Utahns.

"We are reviewing all of our data storage … and will explore encryption as a further safeguard," said Utah Department of Health spokesman Tom Hudachko. "We will have to consider the number and type of records, the cost of encryption and weigh it against the potential risk."

Whether Utah broke the law is for U.S. Health and Human Services officials to decide. Under the 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH, insurers, hospitals and government entities that do not encrypt health data, then see it stolen, can be slapped with hefty penalties.

But the breach of trust alarms consumers who wonder whether other health data stored by the state is vulnerable.

Health information technology is a booming, multibillion-dollar industry fueled by a renewed appetite to use patient data to improve medical care and cut costs. And government entities are at the forefront. The health department uses 125 of Utah's 520 servers.

And on those servers is Utah's year-old All Payer Database (APD), a repository of private insurance claims.

"If we think Medicaid data sets are big, envision being able to hack into a database which contains everything about almost everyone in the state — addresses, Social Security numbers, family members, and all medical care," said Joan Ogden.

Ogden, an actuary in Salt Lake City, is on Medicare, which doesn't feed the APD. But the state's largest insurers, including SelectHealth and Regence BlueCross BlueShield, share claims.

"The reply that questioners about data security have been provided is, 'We're the state, our data is secure,' " said Ogden. "Yeah, sure."

Unlike Medicaid claims, however, APD data are fully encrypted both in transit — en route from insurers — and at rest on the server. Medicaid claims are only encrypted in transit.

It's a double-standard, but probably not intentional, say advocates for the poor.

"The APD was constructed at a time when we were thinking about hacking and computer security issues," said Lincoln Nehring, Medicaid policy analyst at Voices for Utah Children. "But when our [Medicaid claims] system was built in the late '70s or early '80s, it wasn't on anyone's radar. That was before the Internet as we know it."

For years, health officials have asked the Legislature for funding to upgrade their system. Last year, on the heels of scathing audits highlighting loose cost and fraud controls, lawmakers footed some money, but not the full amount requested.

Data security experts say all personal health information should be encrypted, period.

"It's questionable why that wasn't happening," said Mark Bower, a vice president at Voltage Security in California.

Old, so-called legacy systems used to be expensive and difficult to encrypt, but technologies have improved and prices have dropped, Bower said.

"Thinking your data won't be broken into at some point is like operating a retail store and not expecting to see shoplifters," he said. "You need to assume you'll be breached and take measures to make the data useless to attackers."

Stealing or snooping at patients' private records has becoming increasingly common. Last year there was an unprecedented 97-percent increase in health breaches, according to an analysis of federal data by Redspin Inc.

"You can run, but you can't hide from hackers and fraudsters," said security consultant John Boyd, principal of The Boyd Co. in New Jersey. Despite a tepid economy, he estimates that health data security spending will top $40 billion this year and $70 billion by 2015.

It's a need driven by the growing availability of health data, but also by stricter federal rules.

Breaches affecting more than 500 people must now be reported. And encryption, once recommended but not mandated by the 1996 Health Insurance Portability and Accountability Act, is becoming the legal standard.

HITECH now allows for significant penalties for breaches.

"Pre-HITECH [we were] limited in [our] ability to impose civil monetary penalties, [which] could not exceed $25,000 per year, said Leon Rodriguez, director of the federal agency's Office for Civil Rights.

Last March, BlueCross BlueShield of Tennessee agreed to pay the maximum $1.5 million penalty to settle violations stemming from the theft of 57 un-encrypted computer hard drives. On top of that, the insurer reportedly spent $17 million notifying 1 million victims, providing them credit monitoring and patching security holes.

For Utah, the fixes may not be obvious, said Brian Lapidus of Kroll Advisory Solutions. "Encryption of data is important, but it's not the only answer," he said. And the level of security "depends on how it's encrypted," he said.

Investigators will also weigh the steps taken to mitigate damage and prevent future break-ins.

Utah Gov. Gary Herbert has hired an independent team of auditors, or "white hat" hackers, to test the state's data security. Health officials have launched a hotline and are working to notify individuals affected by the breach, many of whom will get free credit monitoring.

Such efforts speak to the fact, said Hudachko, "that Medicaid and Children's Health Insurance Program clients deserve the same level of protection as anyone else."

Twitter: @kirstendstewart —

Explaining the breach

What happened?

On March 30, hackers broke into a poorly protected Utah computer server and stole Medicaid claims and other private information, including patient names, birth dates, addresses, health conditions and Social Security numbers.

Who was affected?

Initially state officials thought up to 25,000 Medicaid recipients had their data compromised, most of them children. Later they said 780,000 Utahns were affected, including uninsured patients who had visited a health provider in the last four months.

Who is at fault?

The invasion was traced to an Eastern European location, though authorities don't know whether that's where the hacking originated. The FBI is investigating.

What can consumers do to protect themselves?

The state Division of Consumer Protection warns against scams using the breach to snag personal information from people over the phone or email. All official state information will come by mail or hotline: 1-855-238-3339.