A serious breach of health and Medicaid data within the Utah Department of Health has taken down the state’s CIO, Steve Fletcher.
Fletcher’s departure was part of Utah Gov. Gary Herbert’s coordinated response Tuesday, May 15, to the breach, which was discovered April 2 and is believed to have compromised 280,000 Social Security numbers other personal information of an estimated 500,000 people, including names, addresses, birth dates and some details contained in patient health records.
Herbert said Deloitte & Touche has started a comprehensive security audit of the state’s technology systems. Sheila Walsh-McDonald also has been appointed to a new position called the “health data security ombudsman. “
"The compromise of even one person's private information is a completely unacceptable breach of trust," said Herbert in a statement. "The people of Utah rightly believe that their government will protect them, their families and their personal data. As a state government, we failed to honor that commitment. For that, as your Governor and as a Utahn, I am deeply sorry."
Fletcher, who led the state’s Department of Technology Services, was appointed state CIO in 2005. He will be replaced on an acting basis by Mark VanOrden, the IT director for the Utah Department of Workforce Services.
Fletcher is a past president of the National Association of State Chief Information Officers, and has garnered recognition over the years for leading innovative and collaborative IT projects. He is past recipient of Government Technology’s Top 25 Doers, Dreamers and Drivers award. Fletcher is credited with leading Utah’s enterprisewide IT consolidation and centralization, lauded by many as a public-sector success story.
The data breach was found to have occurred on March 30, made possible by a weak password that allowed hackers to break through the department’s security and steal the personal information of as many as 780,000 people. USA Today reported that cybercriminals are believed to have launched the attack from Eastern Europe.
The Utah Department of Health moved quickly to shore up its IT processes and notify potential victims, offering them free credit monitoring. The new health data security ombudsman will oversee individual case management, credit counseling and public outreach, the governor said Tuesday.
Fletcher told Government Technology on Tuesday afternoon that the breach was preventable, and that the incident shows that more funding is needed to protect government’s IT systems.
From a larger perspective, Fletcher said, the breach in Utah also is an example of a challenge that CIOs face: Ask for security funding before nothing has happened (and oftentimes get rejected), or wait until a breach happens (when it’s too late). Another factor to consider, Fletcher said, was that cyberattacks targeting Utah have spiked by 600 percent during the past four months — too short a time frame, especially during a legislative budget cycle, to pursue more funding that would be used to stave off the attacks.
According to Gov. Herbert’s office, there are nearly a million attempts each day to infiltrate the state’s IT network.
Fletcher said he’s disappointed that the security incident will likely overshadow much of the progress Utah has made. During the past five years, the state has reduced its IT operating costs by $73 million, Fletcher said. Utah also has made transparency gains, has developed a well regarded Web presence, and now offers more than 1,000 online services, he said.
The Utah Department of Health has set up a hotline (1-855-238-3339) to answers questions about the breach and to assist victims of the identity theft.