It was an IT nightmare: On April 2, 2012, technicians working for the State of Utah's Department of Technology Services (DTS) discovered that hackers were downloading sensitive personal information about healthcare claimants from a state-run server. Included in the stolen data were 280,000 records containing Social Security numbers, as well as 500,000 additional records without SSNs but containing other sensitive personal information, such as name, address, or date of birth.
If that wasn't bad enough, the hackers, who appeared to hail from Eastern Europe, had been at their nefarious task since March 30. And their initial contact with the server had taken place on March 10.
After immediately shutting down the server, DTS staff investigated the breach over the next month, while state officials underwent a lengthy process of public apology and education, trying to ensure that people whose data went missing weren't further victimized by imposters phoning them with phony "help."
The state government has offered victims free credit monitoring service, but according to the Deseret News, just 10 percent of the 280,000 whose SSNs were breached are taking the state up on the offer. Still, at a cost of $16 per person per year, the state has already spent at least $448,000 on the service and could potentially end up shelling out $4.5 million.
The second shoe dropped on Tuesday this week, when Utah governor Gary Herbert fired executive director of DTS Stephen Fletcher; replaced him with a new acting director and former colleague, Mark VanOrden; and instituted a new position of Health Data Security Ombudsman, hiring Utah healthcare advocate Sheila Walsh-McDonald for the job.
Harsh, yes; but according to a statement in yesterday's Deseret News, Stephen Fletcher approved of the governor's action because he was ultimately in charge when the breach took place.
Fletcher also cited the difficulties of keeping data safe these days. "There has been a huge increase in the number of attacks against state systems -- about a 600 percent increase in the last four months -- and it is always a difficult challenge to make sure that you have adequate resources there to make sure the attacks are turned away," he told the press.
[Pssst! Do you think CIOs should take the fall when enterprise data breaches occur? Weigh in on our new poll here.]
Interestingly, Fletcher was slated to appear today as a guest on Internet Evolution Radio. A request for comment from him for this blog was unanswered at press time.
Meanwhile, the new director of DTS has released a more detailed summation of the "multiple mistakes" that put the red carpet down for data thieves to enter Utah's Medicaid Management Information System. "Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords," VanOrden told legislators in a meeting yesterday.
Default passwords installed at the factory were still in the system when it was shut down, he noted.
There were other problems: The server had been installed months ago by a contractor, not a staffer as department protocol demands. Also, DTS policy calls for servers like this one to undergo monitoring and a risk assessment -- steps that also weren't taken.
Despite the furor this breach has caused, it is far from unique. According to information posted by the Privacy Rights Clearinghouse, of the 203 data breaches reported so far this year in the US, 103 involved either government or healthcare information. Of that subset, 16 cases were the result of hacking.
The largest hacking of a government or healthcare information source this year in the US occurred in January 2012 at Indiana University, when the online records of 650,000 nationwide participants in a President's Challenge fitness program were breached. It seems no CIOs were harmed, however, in the resolution of that case.
— Mary Jander , Managing Editor, Internet Evolution