This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.
The blame for Utah's Medicaid data breach rests squarely with the state Department of Technology Services, not the Department of Health, said the state's interim Chief Information Officer.
Mark VanOrden, who had not been on the job for 24 hours, was grilled Wednesday by lawmakers seeking an explanation for the March 30 cyber attack on a state Medicaid server. He described a series of breakdowns in protocol which, coupled with human error and security holes, allowed hackers to steal the personal information of 780,000 Utahns.
And he vowed a thorough scrubbing of every server in the state.
"We're having staff go through all the servers and databases to identify those that contain personal information and determine if it's encrypted…Most of the data is not encrypted," he said. "We're evaluating the cost to encrypt all this data and asking whether that makes sense."
VanOrden did not have an estimate of the cost of such a large scale project. The breach already is estimated to have cost taxpayers up to $10 million, not including potential civil claims or federal penalties.
VanOrden's remarks were the first detailed explanation given by technology officials since the breach.
But it failed to fully satisfy lawmakers who wonder if management failures don't reach deeper than VanOrden's predecessor, Stephen Fletcher, who was asked to resign in the wake of security failure.
"I heard that 12 IT staff have left that department due to management issues," said Rep. Fred Cox, R-West Valley City. "If that's true, it seems to me one of the biggest problems may be IT management, not the technicians."
VanOrden said he'll delve into management issues. "Corrective action" is being taken with two employees, and a third employee at fault, a contract worker, is no longer with the state, he said. There have been no terminations.
Hackers actually broke into the server on March 10, but didn't begin downloading data until March 30. That activity wasn't detected until April 1.
On the server were Medicaid claims and the personal information of the uninsured, privately insured, retirees on Medicaid data sent by health providers and billing companies to inquire whether patients they treated were on government-funded program.
The server was behind a fire wall, but was placed online with the factory default login and password, which "shouldn't have happened," VanOrden said.
Among the other breakdowns he listed: The data wasn't encrypted and shouldn't have been kept on the server for as long as it was. And the server was deployed by a software programmer when that should have been done by a systems administrator.
VanOrden said systems administrators have security check lists to follow when upgrading or replacing old servers.
"Now every check list will include the policy, so it's not forgotten," he said. "Two or three or four mistakes happened along the way that allowed this to happen. To be totally honest with you, this is DTS' fault, not the fault of the Department of Health."
Technology Services has been downsized and consolidated twice, most recently under former Gov. Jon Huntsman. IT experts used to reside at various state agencies, taking orders from them directly.
Lawmakers asked if the state should return to the old model.
VanOrden, who has 30 years in state government, most recently at the Department of Workforce Services, said no.
"I understand the concerns with consolidation and probably shared those concerns in 2005," he said. "But it has created opportunities. At DWS we couldn't afford full time security people. [The agency] is more secure today than we were seven years ago."
Was your information hacked?
If you've been to a Utah health provider in the past four months, or possibly the last year, your personal information may have been exposed in a state data breach. To find out, call 1-855-238-3339. You may be eligible for a year of free credit monitoring. If the operator can't answer your questions, you'll be referred to an ombudsman who may refer you to a credit counselor or law enforcement official.
Harmed by the breach?
Utah's Risk Management office has outlined how people who were harmed by the breach can seek restitution. Claims must be filed within one year of the date of the "accident." The date of the accident is the date of the breach, March 10. So far, no one is known to have been harmed, but advocates expect that the hackers who stole the data will use it later.
The total amount available to split among all victims would be $2,221,700.
Go to http://bit.ly/KQDC4q for information on how to file a claim.