Victims of a cyberattack on Utah health records will be getting another year of protection against fraud and identity theft.
Utah lawmakers agreed to spend $1 million to extend credit monitoring for a second year. And the Utah Department of Health received $300,000 to hire IT staff to develop and enforce new data-security protocols.
"We're taking this very seriously," said Sheila Walsh-McDonald, the health department's new data-security ombudswoman. "The fraud protection will be extended automatically. Consumers won't have to do anything. They will get notification from Experian and the monitoring will be extended a year from the date they signed up."
While helpful, such steps are small comfort to some of the quarter-million Utahns who had their Social Security numbers stolen last March, when hackers broke into a poorly protected Medicaid server.
"Who's to say these thieves won't hold on to the information until they think it's safe to use?" asked breach victim Yvette Smith. "The state should have to pay for monitoring for life. That's what I'm planning on doing."
Eleanor Sundwall, whose daughter's information was exposed, said she understands it's unrealistic to expect taxpayers to foot the bill for lifelong monitoring.
But she laments there's no remedy, no financial recourse or easy way for victims to safeguard themselves. Many had no connection to Medicaid and no inkling that the state had their personal information on the server. Health care providers had "pinged" the server to test patients' eligibility for Medicaid, which exposed information from countless retirees on Medicare and people with private health insurance.
"All the responsibility and effort falls upon the victim," Sundwall said. "A Social Security number can be used for everything, from getting a cellphone to a driver license, and it falls to me to make sure that doesn't happen."
Experts agree that data breaches have become an increasingly common and costly problem in this computerized era and the victims bear the loss.
Going after the state or suing clinics and hospitals is a lost cause, said University of Utah law professor and privacy expert Leslie Francis.
"I don't think providers would be liable," she said, noting it's common practice for providers to "ping" Medicaid and those providers expected their data to be kept secure.
Francis, also a breach victim, traced the disclosure of her information to Salt Lake Regional Hospital.
She believes it violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to sufficiently warn consumers in privacy notices about its practice of pinging Medicaid. She filed a complaint last summer with the U.S. Health and Human Services' Office of Civil Rights.
The agency determined her complaint was valid but did not sanction the hospital, which has since changed its privacy notice, she said. Other Utah hospitals must follow suit under SB20, newly passed legislation sponsored by Sen. Stuart Reid, R-Ogden.
There is one possible avenue for compensating victims, said Francis, but it's a long shot.
Federal officials are investigating Utah's breach and could slap the health department with hefty fines to be shared with victims to mitigate harm.
But penalties would be imposed only if the breach is found to result from "willful neglect" and if Utah fails to resolve security lapses and come into compliance with federal privacy laws, according to the Office of Civil Rights.
Even if Utah is fined, federal officials haven't figured how to compensate victims; rules are being written now.
"It's a really interesting problem. How do you measure harm? Is it someone [fraudulently] using my Social Security number? Or is it the risk, the trouble I've had to take to safeguard myself?" asked Francis, who is working with the feds on possible approaches.
Proving harm isn't as easy as it sounds.
Walsh-McDonald said fewer than five breach victims have reported ID theft, but it's hard to tell if it's related to the breach.
"One complaint was from someone who discovered their information was being used to obtain credit. But we had another where the information used wasn't exposed in the breach," she said. "We've found no significant ties. People are calling because it's the only notification they've received, which is a good thing. We encourage them to do that."
Francis said one possible fix would be to require the state to monitor unusual activity with respect to people's information.
"They're in a better position to do that in a way I can't just by paying Experian," she said.
Was your info hacked?
Utahns whose Social Security numbers were exposed last year in a large health data breach are eligible for another year of free credit monitoring. If you think your information was compromised or misused, call 801-538-6923.