When it comes to major data breaches, some organizations meet the minimum requirements for notification and then hope for the best while keeping their heads down and trying to sweep away the mess from public view. But the Utah Department of Health is taking a very different approach that's worthy of imitation.
On July 26, the department held the first in a series of about a dozen outreach events across the state aimed at helping the public better understand the impact of a March hacking incident. The three-hour evening workshops will be held through August.
But that's not the only extraordinary step the state has taken. For example, Gov. Gary Herbert in May appointed consumer healthcare advocate Sheila Walsh-McDonald to the newly created position of health data security ombudsman. She's spearheading the state's aggressive outreach efforts, which also include a hotline as well as a website dedicated to the breach. The site includes warnings that individuals should not be fooled by "scammers" trying to get people to reveal their personal information by phone, text message, or e-mail.
"We're trying to rebuild trust," Walsh-McDonald says. "We want people to know that we're making sure data is secure."
The March breach involved a Utah Department of Technology Services server that stored Medicaid and Children's Health Insurance Program claims data. The state says hackers from Eastern Europe downloaded from the server personal health information on 780,000 individuals, including the Social Security numbers of 280,000. So far, the state has no evidence the information has been used to commit fraud.
Now that public assistance is going on the road in an attempt to reach more people in the state. And that's smart because it brings help to people who might be befuddled about the breach, uncomfortable or unable to call the hotline, or just too busy or forgetful to have acted on their own.
The hotline received nearly 4,900 calls in May shortly after the breach was revealed and about 2,600 calls in June. Initially, most calls were from individuals inquiring whether their Social Security numbers were breached. Now, most of the calls are from people requesting replacement copies of lost or destroyed notification letters they had received.
A goal of the workshops is to reinvigorate public interest and get more people signed up for credit monitoring, Walsh-McDonald says. So far, of the 280,000 individuals whose Social Security numbers were breached, only 18 percent have signed up for the monitoring.
Part of the problem with sign-up, suspects Walsh-McDonald, is that some people are confused as to whether their Social Security number was actually stolen since initial reports indicated that the breach affected Medicaid and CHIP beneficiaries, she says. Some people who received breach notification letters from the state with instructions for signing up for credit monitoring thought their letters were sent in error because they aren't covered by Medicaid or CHIP, Walsh-McDonald says.
"Many people threw those letters away," she says. However, even citizens who aren't covered by Medicaid or CHIP could have had their Social Security numbers stolen if a healthcare provider previously entered an individual's data to check Medicaid or CHIP eligibility, she says.
The other 500,000 people affected by the breach didn't have their Social Security numbers stolen, but did have other personal health information compromised. "That involved less sensitive information," such as various combinations of personal data, including name, date of birth, address, provider name, and medical billing codes, she explains.
In the aftermath of the breach, the state's Department of Technology Services has been ramping up data security. For example, the state now encrypts protected health information in storage as well as when it's transmitted.
In May, Gov. Herbert shook up Utah's IT organization, asking for the resignation of the head of DTS and appointing a replacement. The state also hired IT services firm Deloitte and Touche to conduct a forensic analysis and risk assessment of the state's servers and storage systems. It also hired a public relations firm that's helping with Utah's data breach communication and public outreach programs.
The state also is tackling such issues as perimeter security, network security, application security, data security, identity management, security controls, network monitoring, and intrusion-detection capabilities. And it's reviewing all security policies and procedures.
While Utah continues to deal with the aftermath of its breach, one thing seems clear: State officials have placed a strong emphasis on outreach to the victims.
We hope other organizations that experience breaches also make outreach a top priority.