Personal health information data breach
1 / 11

Personal Health Information Data Breach - PowerPoint PPT Presentation

  • Uploaded on

Personal Health Information Data Breach. What Happened?. March 10, 2012: Computer hackers illegally access a Department of Technology Services (DTS) computer server that houses personal health information March 30, 2012: The hackers begin downloading information off the server

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Personal Health Information Data Breach' - alodie

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

What happened
What Happened?

  • March 10, 2012: Computer hackers illegally access a Department of Technology Services (DTS) computer server that houses personal health information

  • March 30, 2012: The hackers begin downloading information off the server

  • April 2, 2012: DTS detects the breach and shuts down the server.

What happened1
What Happened?

  • A DTS investigation revealed the hackers were able to access the server due to weaker than normal security controls

    • Specifically, a weak password

  • The hackers were able to access personal information of up to 780,000 people

    • Up to 280,000 people had Social Security numbers listed in the information

    • Up to 500,000 others had less-sensitive information (name, address, date of birth, etc…) listed in the information

What happened2
What Happened?

The state takes full responsibility for not ensuring the security of these data, and is deeply sorry for the distress the breach has caused.

Who was affected
Who Was Affected?

  • Data on the server included Medicaid and CHIP claims payment information

    • These are bills submitted by health care providers for services to Medicaid and CHIP clients

  • Other data included Medicaid Eligibility Inquiries

    • In these inquiries, health care providers or their third-party billing entities submit patient information to the state to see if they are currently enrolled in Medicaid

    • Many people who have no history with the Medicaid program had their information submitted as part of this practice

Who was affected1
Who Was Affected?

  • Medicaid Eligibility Inquiries (cont.)

    • These are routine transactions conducted throughout the health care industry

    • Use of personal information to obtain payment through these inquiries is permitted by HIPAA

  • Providers and their billing entities submit the information with the expectation that the state will keep the data secure.

What is being done
What is Being Done?

  • Notification letters are being sent to all victims DTS and UDOH can identify

    • Top priority was to identify and notify those who had a SSN included in the information

    • We have sent more than 275,000 SSN letters

    • Letters to the rest of the victims started going out in late April

  • Credit monitoring – state has contracted with Experian to provide one year coverage to those who had their SSN compromised

Public outreach
Public Outreach

  • UDOH data breach notfication web site:

    • Information on obtaining free credit reports

    • Credit freeze

    • Fraud alert

    • Child Identity Protection (Utah Attorney General’s Office)


  • Information hotlines

    • Main line has handled more than 26,000 calls

    • Other UDOH hotlines & staff have responded to an additional 2,000+ calls

    • 1-855-238-3339

Public outreach1
Public Outreach

  • Media Relations

    • Hosted two press conferences and issued four press releases in the first six days of the response

    • More than 500 stories have appeared in newspapers, and on television and radio stations throughout the world

  • Community/advocacy group presentations

    • Utah Health Policy Project

    • Utah Hospital Association

    • Health Care Safety Net Summit

    • Utah Services to the Deaf and Hard of Hearing

    • Utah Coordinating Council for People with Disabilities

    • Indian Health Advisory Board

    • Scheduling future community forums

Restoring trust
Restoring Trust

The Utah Department of Health plays a vital role in helping to provide a safety net for the state’s most vulnerable populations.

We are committed to restoring the trust of those members of the public who rely on our services, and those providers who help us deliver them.

Restoring trust1
Restoring Trust

  • Independent Audits

    • At the direction of Governor Herbert, two independent auditing firms have been hired to conduct separate reviews of the breach

  • IT Security Audit

    • The first audit will investigate the causes of the security breach and will also include a full-scale review of the state’s entire data security and data storage system

  • Breach Notification Audit

    • This audit will review the state’s efforts to notify victims of the breach and mitigate potential harm they may experience