About a month ago, I blogged about the medical record breach at Utah's Department of Health (UDOH). Nearly a million patient medical records were stolen by suspected Eastern European hackers. When the story first broke, the state blamed the incident on a technician who “installed a password that wasn't as secure as needed” on a new server that had been placed into service just three months earlier.
Well, news stories like this one in the Salt Lake Tribune are now reporting that UDOH has partly shifted its stance, admitting the breach was made worse because the medical record data, instead of being erased each day as its own security protocols require, was left to accumulate on the server from the time it was first installed. UDOH is keeping quiet, however, about why the security protocol was not followed, as well as why compliance with the protocol and password requirements weren’t checked as a matter of course when the new server was brought online.
UDOH is also refusing to say whether those responsible for the security breach have been disciplined, something that those whose medical records were compromised have been asking about. In response to these inquiries, the department's executive director, David Patton, was quoted as saying that, "We’re in the mode of trying to help people, not find culprits."
So far, only 20 000 people have taken up the state’s offer of one year of free credit monitoring, although part of the slow uptake is being blamed on the state’s approach to victim outreach. According a separate story published by the Tribune, the letters from the state sent to potential victims concerning the breach direct them to “call a hot- line and enter their Social Security number.” Many folks, the Tribune reports, fear the letters they are receiving are part of some scam, since this type of request is exactly what Utah’s government officials routinely advise state residents never to comply with. And even if you believe the letter is legit and follow the enclosed directions, the Tribune says, the operators manning the victim hotline are apparently only able to read from a script and have been instructed not to answer any questions posed to them by callers!
And speaking of engineering mistakes, according to an article in Computer World, an Apple programmer forgot to turn off a “debugging switch” in the latest version of Apple’s Lion operating system. The consequence of the error is that it can reveal “the passwords for material stored in the first version of FileVault, the company's encryption technology.” The issue doesn’t affect those with the latest version of FileVault, however.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.