Data breach | The Salt Lake Tribune

Herbert finally gets with it

This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

Gov. Gary Herbert has fired the state's top computer nerd in the wake of the Medicaid data breach. That earns the governor one point for enforcing accountability, but it won't do much for the 780,000 Utahns whose identities have been compromised and the 280,000 of those whose Social Security numbers were stolen. The sad truth appears to be that it is almost impossible to put this cat back in the bag.

More than six weeks after the initial theft of data from an unsecured computer server, the Herbert administration still is scurrying around trying to figure out new ways to help the victims. On Tuesday, the governor announced the appointment of a health data security ombudsman who will oversee individual case management, credit counseling and public outreach. The state is making available free credit monitoring service to victims for a year.

Herbert announced that he had asked for the resignation of Stephen Fletcher, director of the Department of Technology Services. The governor asking for Fletcher to fall on his sword was appropriate, if belated. The data should have been encrypted. It wasn't. In addition, something went awry at the "password authentication level," whatever that means, "allowing the hacker to circumvent the security system" on the server.

The server stored Medicaid and Children's Health Insurance Program claims data. In addition, because health-care providers queried the system electronically for Medicaid eligibility, the personal data of other patients who have nothing to do with Medicaid or CHIP also was on the server and was stolen. Those victims included people insured by private companies and by Medicare.

In addition, the state has engaged a contractor to conduct an independent security audit of the state's information technology systems. There also is a contract to monitor efforts to contact and notify victims. Together, those jobs are estimated to cost about $1.3 million.

The state also is hiring a public relations firm to spread the word about the breach. It will build a website, produce videos in multiple languages and write information to be distributed by news media and advocacy organizations explaining the breach and what people who may be victims can do to combat the fraudulent use of stolen information.

To his credit, the governor apologized personally to the people of Utah Tuesday for the breach. Though it has taken the administration weeks to fully engage this crisis, it finally is on the right track.