State Auditor finds 2M Utahns had personal data at risk by the Department of Health and Human Services

SALT LAKE CITY — More than 2 million Utahns had their sensitive personal data at a significant security risk. That's what an audit released by the Office of the Utah State Auditor says they exposed during a privacy audit in the Department of Health and Human Services.

The audit was started following a whistleblower complaint and found that DHHS has inadequate privacy incident response procedures and insufficient monitoring in place. Officials say that lead to under-reported privacy incidents and potential exposure of highly sensitive personal data.

According to the audit, two major data repositories, the SAFE system used by the Division of Child and Family Services, and eChart, the record service used by the Utah State Hospital, allowed broad access to records without enforcing or monitoring access.

"The deficiencies we uncovered at the Department of Health and Human Services represent a critical failure to protect the privacy of families, individuals and our most vulnerable, Utah’s children," said State Auditor Tina M. Cannon. "When systems that store confidential data about children and individuals lack fundamental safeguards, the potential for misuse and long-term harm is immense. This is not merely saved data or historical files. These are key aspects that represent and open people’s private lives."

The three major findings of the audit are:

1. Inadequate access controls in SAFE and eChart systems
   
   1. Both systems permit broad access to sensitive records without enforcing or adequately monitoring access. A single compromised account could expose entire data repositories and opens the threat of identity theft, especially critical for children's data that is highly valuable on the dark web.
2. Lack of monitoring and quality control related to DCFS's GRAMA team
   
   1. The Division of Child and Family Services' GRAMA Team, which handles public records requests, faces significant backlogs and has released sensitive documents to the wrong parties.
3. Inadequate incident response preparedness and training
   
   1. DHHS lacks clear and effective incident response and training programs. Policies are poorly defined, and interviews with staff revealed widespread confusion.

The Office of the Utah State Auditor provided the findings of the audit to the Department of Health and Human Services. The full document can be found here.

The Social Services Appropriations Committee has also asked the office to present the findings at their meeting on February 11.