Utah’s health agency is guilty of the “critical failure” to secure millions of patient records, putting sensitive data at risk, according to an official audit released Tuesday.
Utah Auditor Tina Cannon’s investigation found that the state’s Department of Health and Human Services did not adequately protect sensitive case records for over 2 million people, leaving them easily accessible to over 2,000 employees. Roughly 6 million records contained in the Division of Child and Family Services, which lies under DHHS, were left vulnerable.
“The deficiencies we uncovered at the Department of Health and Human Services represent a critical failure to protect the privacy of families, individuals, and our most vulnerable, Utah’s children,” Cannon said in a statement.
“When systems that store confidential data about children and individuals lack fundamental safeguards, the potential for misuse and long-term harm is immense,” she said. “This is not merely saved data or historical files. These are key aspects that represent and open people’s private lives.”
The audit found most data privacy issues within SAFE, a child welfare information system in DCFS. SAFE records include case notes, case management of in-home and foster care cases, adoption cases, and child abuse and neglect cases. Problems were also found within EChart, the record system Utah State Hospital uses for patients with mental health needs. EChart currently contains records related to 10,587 individuals, according to the auditor’s office.
The audit identified systemic problems in access controls, records dissemination, and monitoring across systems and teams handling sensitive records. DHHS lacks adequate oversight of incident records, adequate employee training, and effective monitoring to detect and manage privacy and security incidents, according to Cannon’s office. The weaknesses in oversight, awareness, and internal controls allow privacy violations to go undetected or unaddressed for extended periods, according to the review.
“Without effective monitoring and safeguards, staff are vulnerable to external pressures, and a single point of failure can compromise entire systems, potentially exposing millions of records to unauthorized access,” the audit reads.
Cannon’s review revealed that DHHS “is aware of intentional breaches of policy and confidentiality agreements occurring, along with known instances where workers access or disclose records to the wrong persons by mistake.”
UTAH JUDGE REJECTS GOP REDISTRICTING PLAN IN FAVOR OF ONE THAT CREATES A NEW BLUE DISTRICT
The division’s privacy officers have documented instances of staff capturing unauthorized photos of patients or facilities, as well as external reports of sensitive data posted online. No well-known or secure mechanism for anonymous reporting of inappropriate access is in place for either the EChart or SAFE records system, meaning there are limited options to report wrongdoing “without fear of retaliation from agency leadership or coworkers,” the audit found.
The development follows another state audit released last month that similarly found DHHS had breached protocols. Cannon’s office found incomplete pharmacy rebate reporting and invoicing totaling over $49 million at Utah’s health agency. The review identified “significant deficiencies and noncompliance with federal requirements,” which led to millions in rebates owed to Utah’s Medicaid program by drug manufacturers.