The lion's share of the 780,000 victims had no connection to the program; a good many were privately insured or on Medicare. But their information was sent to a poorly protected state server by providers and billing companies inquiring about their Medicaid eligibility.
"The government has all sorts of information on us," admitted Reid, noting providers trusted the state to keep patient data safe.
But trust swings many ways.
"This is an issue of trust, not only vis-a-vis the taxpayer and the government, but between the provider and patient," said Reid. "If I sign a form allowing my doctor to 'ping' Medicaid, that's one thing. But for [him] to do it without informed consent, that's another thing."
Exactly what language he'll prescribe isn't yet clear; Reid is still fine-tuning the bill in consultation with health industry leaders.
Health and Human Services Committee members signaled they would support the bill and asked pointed questions of new Utah Chief Information Officer Mark VanOrden.
"I trust [the employees at fault] are not continuing to be paid by taxpayers to do the job they were unable to do," said Mark Madsen, R-Lehi.
VanOrden assured him that in addition to the firing of his predecessor, Stephen Fletcher, another manager was asked to resign and two employees have been suspended without pay pending completion of an internal investigation.
An audit of all the state's data systems also is under way. The Medicaid Eligibility System that hackers broke into is now fully encrypted. And Utah Gov. Gary Herbert hired an ombudsman to help consumers take advantage of the year of free credit monitoring being offered.
"There may still be penalties. But we're hearing now that our response has been good," said Department of Health chief David Patton, noting the breach has, so far, cost about $2 million.