Proving, once again, that timing is everything, the public and committee members were left feeling less-than-satisfied with the Health Department’s report on the recent IT security breach. The breach, as you’ll recall, effected as many as 780,000 people’s names, 280,000 of which included social security numbers, when hackers were able to break into the Health Department’s data server.
The glaring lack of information was due to the timely, or untimely (depending on your perspective) forced resignation of Utah’s Director of Technology, Stephen Fletcher. The breach occurred over 7 weeks prior, but Governor Herbert made the decision to fire Fletcher only one day prior to the Interim session.
Despite the attendance by Fletcher’s replacement, Mark VanOrden, who also happens to be the IT Director for Workforce Services, and the newly appointed health data security Ombudsman, Sheila Walsh McDonald, the committee members were only able to get general answers to questions, and assurances that steps were being taking to make sure it didn’t happen again. More than once, Mr. VanOrden was forced to answer with, “I am sorry, but I’ve only been on the job for 24 hours and I don’t know that yet.” What we did learn is that, 1) the factory set server password was never changed; 2) the data wasn’t encrypted; and, 3) the data was stored on an open server.
It would have been very helpful and far more informative to have had Mr. Fletcher present to answer the hard questions, to explain, fully, what actually happened, and for him to have had to answer to the committee, the press, and more importantly, to the public, for such a breach—not only of the actual records, but of the public’s trust.