Victim of the Utah health data breach? You're not alone

Eleanor Sundwall's daughter isn't quite 2 years old and already she's had corrective surgery to repair a minor birth defect, survived a hospital-acquired infection and, most recently, had her Social Security number stolen.

"I am so angry, I've had to get a little Zen about it," said Sundwall, who learned on Monday that her daughter Emaline was among the 780,000 Utahns whose personal information was exposed in a massive Medicaid data breach. "My daughter had surgery, and as a result got a super bug. Now this."

It was shocking news, coming four weeks after the March 30 breach, but also because Sundwall's daughter is not on Medicaid. The entire family is privately insured through United Healthcare, said Sundwall, who is flummoxed over how her daughter's information wound up on a poorly protected state computer server.

She's unhappy with the state's "tepid" response and demanding that those responsible be held accountable.

She's not alone.

The Medicaid breach was not limited to people on public insurance.

If you've been to a Utah health care provider in the past four months – maybe even in the past year – your personal information may have been exposed. This applies to anyone, whether you visited a hospital, family doctor or had home health care, and whether you have private insurance, no insurance or you're a retiree on Medicare.

That's because many health providers, as part of their billing, often send patient names, birth dates and Social Security numbers to Medicaid to see if they are enrolled in the low-income insurance program.

Some do it directly, others through debt collectors, such as eScan Data Systems, Inc. or Cardon Healthcare Network.

But on Wednesday, Utah's largest hospital chain, Intermountain Healthcare, suspended these transactions until the state can prove its computers are secure.

Intermountain commonly runs the checks on patients who are uninsured, or who claim to be on Medicaid, or have past-due medical bills, said Intermountain spokesman Daron Cowley.

"It sounds surprising, but there are folks who are covered by Medicaid and don't know it," he said. "Our thought was that the risk to patients was negligible because information was being sent over encrypted lines to a state maintained database."

Cowley added: "If we find they are eligible for Medicaid, that's a good thing for patients who incur less personal expense and a good thing for the hospital because we spend less on collections."

This comes as a surprise to many victims of the breach, the scope of which shows just how much private health information changes hands with or without patients' full knowledge.

"I have never been without insurance and I'm 80 years old, and yet they managed to somehow get my Social Security number in that mess," said Maria Young of Salt Lake City. "There's no good reason for them to have it or keep it stored."

Some blame providers for a breach of trust. Others aim their anger at the state.

"This is a fireable offense. The data should have been encrypted and protected by a real password," said Bryan White of South Jordan. Hackers broke into an unprotected Department of Technology Services server by exploiting a weak password. Data on the server weren't encrypted.

The digitization of insurance claims and other medical information carries the promise of cutting costs and improving patient care, said David Sundwall, former Utah Department of Health director and vice chairman of the Medicaid and Chip Payment and Access Commission (MACPAC).

"But we pay a price for these modern technologies," he said.

Sundwall received notice yesterday that his Social Security number was compromised, sharing the fate of his granddaughter, Emaline.

"The only medical care I've had was in December at [an] Intermountain Healthcare [hospital]. How on earth was I in that database? I don't understand," Sundwall said. "I'm clearly not on Medicaid, but I am on Medicare."

Also among the victims: at least 28 doctors who treat Medicaid patients.

In their defense, state officials announced on April 9 that the scope of the breach had exploded. But they never explicitly stated that fully insured patients were at risk.

"The victims are likely to be people who have visited a health care provider in the past four months. Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients," the news release said.

"At the time, we were really unsure about the types of patients that doctors query on," said Utah Department of Health spokesman Tom Hudachko. "Data wasn't sitting there in a nice tidy Excel file. Often we only had a Social Security number without a name or address attached, so it's taken time to put the pieces of the puzzle together and find out who those belong to."

That's cold comfort to Eleanor Sundwall. "If you're saying my daughter's Social Security number was exposed to criminals, don't obfuscate, just say it," she said.

Notices to breach victims were less than helpful, using terms like, "possible" security breach, and "information that may be potentially" exposed, she said. "If they had truly seemed contrite, I might be less angry."

John Wilson, a 12-year state employee with full health benefits, called the health department's hot line demanding to know which provider had shared his wife's personal information. "Doesn't it seem illegal?"

The answer from the Utah Department of Health is, no.

Patients consent to this by signing a federal Health Insurance Portability and Accountability Act, or HIPAA, disclosure, said health department spokesman Tom Hudachko. "If you read those there's some line in there explaining they can use personal health information to bill for health care services, work with your insurance company and other business partners," he said.

Still, patients say if it's not illegal, the practice of routinely trolling for extra payment without explicitly alerting the patient is unethical.

Corky Shill's husband, John Martin, had his Social Security number exposed in the hack. The 61-year-old has been on the state's Public Employee Health Plan for 40 years, she said.

"I've called every medical center and doctor he's been to in the last while. They all deny sharing his information," said the Salt Lake City woman. "Either they're lying, or the state is lying."

A list of providers who "pinged" the breached system shows how varied providers are in their billing practices. Topping the list are for-profit IASIS Healthcare hospitals, which pale in size to Intermountain and University of Utah Health Sciences.

Clinics and other providers also run Medicaid checks, but most are identified by ID numbers.

"We don't want to vilify health providers," said Hudachko. "They send us this information with the expectation that it be kept secure. There was a breakdown in our holding up that end of the bargain."

Eleanor Sundwall's daughter, Emaline Clawson, has visited several doctors recently. Any of them, the urologist, the pediatrician, an Intermountain after-hours clinic, or Primary Children's Medical Center, could have been the one to share information with the state, she says.

"I am an over-educated stay-at-home mom who has both the time, the resources, the support, a stable marriage, and educational background to be able to tackle this problem as well as possible," said the 40-year-old. "[But] I feel completely overwhelmed by this terrible news. I am enraged and confused and afraid for my daughter's credit and identity."

kstewart@sltrib.com

Twitter: @kirstendstewart —

Was your information hacked?

Protect yourself • If you've been to a Utah health provider in the past four months, or possibly the last year, your personal information may have been exposed in a state data breach. To find out if it was, call 1-855-238-3339.