Home » News
Home » News

McEntee: In hacking fiasco, Gov. Gary Herbert needs to take names and kick butt

Published May 5, 2012 10:25 am
This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

I sort of saw it coming. I'd had a routine physical exam in February and bone density test at Salt Lake Regional Hospital. Because both were preventive care, my insurance company quickly paid in full.

Now I find myself one of the 790,000 Utahns whose sensitive health information was hacked because some Department of Technology Services employee failed to follow protocol and because the stolen data wasn't encrypted.

I'm not just angry — I'm worried sick that all the work I've done to build a good credit record and protect my Social Security number is for naught. Also, I am not now and have never been on Medicaid.

So, upon returning from a wonderful vacation, I was greeted by a letter from the state telling me about a "possible security breach" that means my personal information "may have been potentially exposed to others. We deeply regret this incident."

Well, that's just great.

But wait! The state offered me a complimentary one-year membership in the credit bureau Experian for a ProtectMyData Alert. Predictably, when I set out to join it online, I went through about half the steps before the computer kicked me out.

News reports had said some people had called customer service, only to get robotic answers from what seemed to be a rote list of non-answers. This is one point where I got lucky: A competent woman named Tanyeka walked me through it, and with the help of a Tribune IT guy, I finished registering.

I can only hope it actually will protect me from evil-doers.

I did, like most patients, sign a federal Health Insurance Portability and Accountability Act (HIPAA) at my doctor's office and the hospital. That means my personal health information can be used to check whether I'm on Medicaid or some other form of coverage. But, like many other victims of the breach, I'm not and I have no other coverage.

Also, the state may have violated federal law for not encrypting the stolen data. That, I'm sure, will take a long time for the state and U.S. Department of Health and Human Services to figure out.

In the meantime, I and the other 780,000 people affected — which amounts to nearly 28 percent of Utah's population — are at risk of identity theft that could lead to fraud, purportedly delinquent payments or collection agencies.

There's cold comfort in a $1 million insurance policy that covers "certain costs including lost wages, private investigator fees, and unauthorized electronic fund transfers."

I have a job, a strong family and access to, for example, good lawyers and accountants.

But as the Utah Health Policy Project points out, what about those without such resources? Refugees, immigrants, people with limited or no English proficiency, those with mental illness or are in nursing homes, among many other limitations?

This is not just a crisis of technology or ineptitude. It's a real and long-term threat that will keep many of us on edge, prowling through credit reports, continually checking our bank and credit card accounts and waiting for relentless collection agencies to come calling.

The state of Utah has a lot to answer for, and apologies aren't enough. Gov. Gary Herbert seems to be a forgiving man — think of the Utah Department of Transportation's John Njord, the $13 million settlement on an I-15 bidding fiasco and the woman who was blamed and wrongly fired for it.

This time, Herbert needs to get tough and punish those responsible, and the state needs to cover victims' losses for as long as it takes to get this nasty problem solved.

Peg McEntee is a news columnist. Reach her at pegmcentee@sltrib.com, facebook.com/pegmcentee and Twitter, @Peg McEntee.






Reader comments on sltrib.com are the opinions of the writer, not The Salt Lake Tribune. We will delete comments containing obscenities, personal attacks and inappropriate or offensive remarks. Flagrant or repeat violators will be banned. If you see an objectionable comment, please alert us by clicking the arrow on the upper right side of the comment and selecting "Flag comment as inappropriate". If you've recently registered with Disqus or aren't seeing your comments immediately, you may need to verify your email address. To do so, visit disqus.com/account.
See more about comments here.
comments powered by Disqus