1

Personal Health Information

Data Breach

What Happened?

• March 10, 2012: Computer hackers illegally access a Department of Technology Services (DTS) computer server that houses personal health information

• March 30, 2012: The hackers begin downloading information off the server

• April 2, 2012: DTS detects the breach and shuts down the server.

What Happened?

• A DTS investigation revealed the hackers were able to access the server due to weaker than normal security controls– Specifically, a weak password

• The hackers were able to access personal information of up to 780,000 people– Up to 280,000 people had Social Security numbers

listed in the information– Up to 500,000 others had less-sensitive information

(name, address, date of birth, etc…) listed in the information

What Happened?

The state takes full responsibility for not ensuring the security of these data, and is deeply sorry for the distress

the breach has caused.

Who Was Affected?

• Data on the server included Medicaid and CHIP claims payment information– These are bills submitted by health care providers for

services to Medicaid and CHIP clients

• Other data included Medicaid Eligibility Inquiries– In these inquiries, health care providers or their third-

party billing entities submit patient information to the state to see if they are currently enrolled in Medicaid

– Many people who have no history with the Medicaid program had their information submitted as part of this practice

Who Was Affected?

• Medicaid Eligibility Inquiries (cont.)– These are routine transactions conducted throughout

the health care industry– Use of personal information to obtain payment

through these inquiries is permitted by HIPAA

• Providers and their billing entities submit the information with the expectation that the state will keep the data secure.

What is Being Done?

• Notification letters are being sent to all victims DTS and UDOH can identify– Top priority was to identify and notify those who had a

SSN included in the information– We have sent more than 275,000 SSN letters– Letters to the rest of the victims started going out in

late April

• Credit monitoring – state has contracted with Experian to provide one year coverage to those who had their SSN compromised

Public Outreach

• UDOH data breach notfication web site:– Information on obtaining free credit reports– Credit freeze– Fraud alert– Child Identity Protection (Utah Attorney General’s

Office)– www.health.utah.gov/databreach

• Information hotlines– Main line has handled more than 26,000 calls– Other UDOH hotlines & staff have responded to an

additional 2,000+ calls– 1-855-238-3339

Public Outreach

• Media Relations– Hosted two press conferences and issued four press

releases in the first six days of the response– More than 500 stories have appeared in newspapers,

and on television and radio stations throughout the world

• Community/advocacy group presentations– Utah Health Policy Project

– Utah Hospital Association

– Health Care Safety Net Summit

– Utah Services to the Deaf and Hard of Hearing

– Utah Coordinating Council for People with Disabilities

– Indian Health Advisory Board

– Scheduling future community forums

Restoring Trust

The Utah Department of Health plays a vital role in helping to provide a safety net for the state’s most vulnerable populations.

We are committed to restoring the trust of those members of the public who rely on our services, and those providers who

help us deliver them.

Restoring Trust

• Independent Audits– At the direction of Governor Herbert, two independent

auditing firms have been hired to conduct separate reviews of the breach

• IT Security Audit– The first audit will investigate the causes of the

security breach and will also include a full-scale review of the state’s entire data security and data storage system

• Breach Notification Audit– This audit will review the state’s efforts to notify

victims of the breach and mitigate potential harm they may experience