This is an archived article that was published on sltrib.com in 2016, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.
Terence Waters' mind instantly flashed on worst-case scenarios when he saw Utah Gov. Gary Herbert on TV in 2012, announcing the largest data theft in the state's history.
Waters realized the dates Herbert read on air coincided with a jobless claim he'd recently filed with the state Department of Workforce Services. The Farmington resident's instincts as a longtime IT professional kicked in.
"I pretty much knew I had been hacked too," Waters said.
He swiftly ordered credit monitoring and, with his Social Security number indeed stolen, he's kept it in place ever since.
Federal authorities now say that the state networks penetrated by the hackers were so riddled with security weaknesses that it appeared Utah's technology experts "lacked commitment to security management."
Offering a first-ever glimpse of their findings, inspectors for the U.S. Department of Health and Human Services issued a report in January saying they identified 39 separate, "high-impact" network security lapses surrounding the massive March 10, 2012, Medicaid data breach and a second health-data leak in 2013.
The new Office of Inspector General report draws on five prior audits conducted in the immediate aftermath of the breaches but, to protect against further attacks, kept secret at the time. Auditors released the summary this year, they said, partly to underscore the gravity of their concerns and draw the attention of policymakers.
Investigators found systemic security flaws that went far beyond the initial loophole used in the 2012 hack: a Medicaid server deployed with its factory-issued password settings unchanged.
Data thieves absconded with personal records on up to 780,000 Utahns from a trove of names, Social Security numbers, medical diagnosis codes, insurance and taxpayer ID numbers and more.
The two exposures sent shock waves through state government and the public, and led to what a spokesman for Utah's Republican governor recently called "significantly improved security practices."
Herbert "knows that the threat of cybersecurity breaches is increasing every day," spokesman Jon Cox said. "As a result, the state of Utah is committed to dedicating attention and resources to this ongoing and evolving effort."
—
Data in danger • Most of the U.S. inspectors' findings center on the state Department of Technology Services, or DTS, the once-obscure agency responsible for providing a variety of IT services and support to other state agencies.
Auditors say the breach revealed that DTS networks did not have effective systemwide network protections in place. Their probe pointed to a lack of adequate policies and methods at DTS for managing security functions, such as controlling who had access and how the system was set up; day-to-day operations and planning; and ways to keep service going in case of an emergency.
At one point, auditors claim, one DTS team even shut another agency team out of the very network they were assigned to assess for security protections — though DTS officials say that incident was not independently substantiated.
Lapses were so widespread, basic and potentially dangerous, federal inspectors said they questioned whether DTS was making security a priority.
"Taken together, these weaknesses suggest that DTS management lacked commitment to security management," inspectors wrote. "As a result, Utah Medicaid data were at risk of unauthorized disclosure."
The report also faulted the state Department of Health for what it said were gaps in oversight over service agreements with DTS, leaving crucial data vulnerable. The second breach occurred when a health department contractor lost a USB memory stick she had loaded — contrary to department policy — with the names, ages and prescription information of 6,000 Utahns on Medicaid.
Investigators speculate that the 2012 hack originated in Eastern Europe, though no one has been prosecuted. In addition to Medicaid records, the thieves sucked up personal data on the unemployed and those seeking food stamps, the privately insured, uninsured and retirees on Medicare whose doctors sought to test their eligibility for state subsidies.
Federal auditors said the highly sensitive and confidential nature of that data raised the possible risks posed by weaknesses in Utah's network security to severe and catastrophic levels.
—
Systems 'constantly being probed' • The findings come as little surprise to Waters, 31.
"It frustrates and insults me," he said of the data breach and its causes. "My own state government lacked the decency or respect to secure its networks for those people who were genuinely trying to get help."
A state-appointed ombudsman who counseled breach victims said those reactions were common among the thousands of residents who phoned in as news of the incursion unfolded.
"They were upset, disappointed, angry, all very appropriate given the situation," said Sheila Walsh-McDonald, chosen by Herbert to help coordinate support for those affected. "They got caught up in circumstances that put them at risk and they had no control over it."
State officials spent more than $9 million on credit monitoring for victims, security audits and computer upgrades in the first year after the breach was detected. Researchers have since estimated its total costs in the hundreds of millions, including those borne by individuals and the private sector.
Within months of the cyberattack, Herbert sought the resignation of then-DTS executive director Stephen Fletcher, saying he lacked "oversight and leadership." Fletcher's ouster has been followed by a department-wide reorganization, adoption of new network-protection tools and creation of several executive positions devoted to security.
"We have stepped up our security game," said DTS spokeswoman Stephanie Weteling.
The agency submits to an outside audit of its security every two years, holding itself to private-sector industry standards. DTS also staffs an around-the-clock network-defense center at the state Capitol, with multi-layered security tools to monitor all traffic in and out of Utah's computer grids.
These days, DTS touts security as one of the four "pillars" of its department mission, Weteling said, along with customer service, technical innovation and employee success.
Security training is standard for all workers, said Weteling, and state legislators have devoted more than $2 million to upgrading DTS computers and networks, widening use of encryption and hiring 18 new full-time security and data-privacy professionals.
The health department has seen similar internal upheaval aimed at elevating security, according to Nathan Checketts, its deputy director in charge of Medicaid.
DOH has a data security office and executives within each of its divisions devoted to issues of patient privacy, Checketts said. Network-access controls are more robust, use of portable devices such as thumb drives has been reduced and data encryption is more widespread.
"Everyone in the state is more aware of security, privacy issues and potential weaknesses," Checketts said.
And as a steward of sensitive patient information, he said, the department has reached a new state of permanent watchfulness.
"Our systems are constantly being probed," Checketts said. "Even if you've closed 90 doors, people find a way of opening another door somehow."
—
'Breadcrumbs everywhere you go' • Walsh-McDonald, the state ombudsman, praised both departments for boosting security. She said the volume of concerned calls from breach victims has dropped off dramatically in the last two years.
Only about one in five of the 280,000 state residents whose Social Security numbers were stolen signed up for two years of free credit monitoring, Walsh-McDonald said, despite extensive publicity, creation of a call center and several community outreach programs.
A few victims have experienced identity theft, she said, "but really, overall, very small numbers and it's hard to say if they were actually related to this incident."
Utah's response efforts, Walsh-McDonald said, have emerged as a model to other states and private organizations plagued by data attacks in subsequent years.
For his part, Waters said he hasn't detected any attempts yet to hijack his finances or steal his identity. But like thousands of others affected, he still harbors a sense of betrayal and feels like he's been on alert ever since.
Waters said he acts more warily these days anytime he's online. His online accounts are protected by complex, 15-character passwords and what's known as multifactorial authentication, requiring more than a name and password to sign in. He uses encryption for all sensitive personal emails.
He still revels in social media, but Waters said using Facebook or Twitter or posting anything online feels different now. He lost personal data again in 2015, when his cellphone carrier T-Mobile got hacked.
"It's all made me more consciously aware that you leave breadcrumbs everywhere you go on the Internet," Waters said. "But as long as you're taking steps and are careful, it's just a matter of understanding what you're sharing."
Twitter: @TonySemerad
—
Utah Public Insight Network
This story was informed by sources in the Utah Public Insight Network. To become a news source for The Salt Lake Tribune, visit sltrib.com/upin. —
Measures to help protect against hacking
Experts offer these tips for protecting your data online.
• Multi-factor authentication (MFA)
Instead of typing in one password to log in, MFA requires two steps or more to ensure your identity. Widely available on online services and mobile apps, users might answer a simple question, identify a picture or enter several key words to get access to their accounts.
• Credit monitoring
If your personal data has been stolen, credit monitoring won't make the situation worse, especially if it's being offered for free. But keep in mind: while most services notify you if someone tries to use your credit, few actually prevent fraudulent activity. If your bank allows it, consider restricting amounts of cash that can be transferred from your accounts without additional approval.
• Encryption
Systems for encoding your data can be daunting to install, so consider using encryption selectively at first on sensitive personal emails and financial information. Many novices start with PGP, short for pretty good privacy, an open-source method that uses public and private keys that users share to lock and unlock data.
• Caution with Wi-Fi
Choosing free public Wi-Fi over a cellular connection might save money on your data plans, but such links put you at risk of your data being intercepted. When using public Wi-Fi, avoid logging onto any financial accounts or sending any personal information.
• Know your options on privacy settings
Understand what personal data is being collected by which services, how it is used and how it is stored — which sometimes means reading the fine print on service agreements. Don't provide information that isn't essential.
Sources: National Cyber Security Alliance, ITPro