Utah health department reports another data breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.cachevalleydaily.com/news/state/article_c3dfb2b6-7e9d-5381-96fa-0cf552c5b7f7.html

Personal information for Utah Medicaid recipients has once again been
compromised after a USB memory stick containing the data was lost, the
state Department of Health announced Wednesday.

Data for about 6,000 recipients were lost by an employee of an outside
contractor while traveling, the agency said in a statement.

The security breach comes less than a year after the Department of
Health announced hackers broke into a government server and stole the
personal information of about 780,000 Medicaid recipients and
participants in the Children's Health Insurance Program, including the
Social Security numbers of about 280,000 of them.

Utah's chief technology officer resigned in the wake of the spring 2012 theft.

The Health Department on Wednesday said the most recent breach is
limited to Medicaid recipient's names, Medicaid identification
numbers, ages and recent prescription drug use.

No Social Security numbers or financial information were included in
the lost data, the department said.

The contractor, Goold Health Systems, handles Medicaid pharmacy
transactions for the Health Department.

Department spokesman Tom Hudachko said the GHS employee, identified
only as a woman from Denver, was having trouble with an Internet
connection Thursday while trying to upload the data to a server. The
employee saved the personal information to an unencrypted USB memory
stick and left the Health Department with the device. The employee
lost the stick sometime in the following days while traveling between
Salt Lake City, Denver and Washington, D.C.

GHS confirmed the information was lost Tuesday, Hudachko said, and the
employee is no longer allowed to work with data for the Health
Department.

The employee violated both Health Department policy and the contract
GHS had with the agency.

Health Department Deputy Director and state Medicaid Director Michael
Hales said that because the information did not include Social
Security numbers or financial data, there's a minimal risk that the
breach will lead to identity theft. The department has no reason to
believe the data were targeted by anyone for "malicious purposes,"
Hales said in a statement.

The Health Department is in process of sending out letters to the
individuals whose information was lost and said it is taking steps to
protect them from potential fraud.

The agency's executive director, Dr. David Patton, said he's asked for
a legal review of the contract with GHS and intends to pursue
"whatever financial or contractual remedies are available in order to
ensure GHS is held accountable for this serious mistake," he said.

Hudachko said the breach is frustrating for the department "because
we've essentially spent the last nine months responding to the breach
that we had last year."

He said that in the past nine months, the department has tried to
figure out where to strengthen its system, enacted more than 100 new
policies and trained almost 400 employees in data protection.

"Unfortunately, despite all those efforts that we've undertaken, it
just takes one individual who steps outside of policy and disregard of
protocol, and you've got an incident like this that happens," he said.

Though it was a contractor that lost the information, Hudachko said
the department will still take full responsibility.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.