Lawmakers discuss costs of health dept. data breach

Posted at 8:25 PM, May 16, 2012
and last updated 2012-05-17 01:00:01-04

SALT LAKE CITY -- Utah lawmakers listened to the two men in charge of the state's health and technology departments Wednesday as they gave details about the cause and cost of the data breach that exposed the identities of 780,000 Utahns.

The cost of the Utah Department of Health's online hacking breach is not fully known. However, lawmakers got an idea of how much the state will have to pay if all 280,000 who lost their social security numbers in the breach decide to take part in the free credit monitoring being offered.

The cost per person is $16. Multiply that by 280,000 and the state would have to pay nearly $4.5 million for credit monitoring.

"If everybody takes advantage of the credit monitoring service, which we actually hope they do, they could cost the state a lot of money," said Health Department Director David Patton.

But relatively few people are taking advantage. Only 26,000 of the 280,000 eligible victims have signed up for the service. The Department of Health has issued a request for proposal, or RFP, seeking a crisis management firm to help them contact all of the victims. Patton says they hope to head off potential problems and avoid even higher costs for people who lose their identities.

The unknown costs are what the state may have to pay in terms of potential lawsuits as well as measures put in place to prevent future breaches.

"It is our responsibility to have kept it safe and we failed," said Mark VanOrden, the new Director of the Department of Technical Services.

VanOrder took the reigns of the department after the former director, Stephen Fletcher, resigned as a result of the scandal.

Patton said cumulative costs may reach the tens of millions of dollars, though he said he was not going to make an estimate.

"We can insure that it is much more secure -- I think to ever say it's 100 percent, might be hard," said Patton. "But if we have it encrypted people cannot use that information for bad purposes."

Earlier this month, UDOH reported a computer server was put online with a weak password. On March 10, hackers attacked it. On March 30, the hackers began downloading people’s personal information. Employees at the Utah Department of Technology Services discovered it on April 2.

Tuesday Gov. Gary Herbert apologized to the 780,000 potential victims of the data breach.