More than two million people’s sensitive case records — related to child welfare in Utah and psychiatric treatments at the Utah State Hospital — have not been adequately protected and are easily accessible to over 2,000 employees, according to a report published Tuesday.
After a whistleblower reached out to a hotline run by Utah Auditor Tina Cannon’s office, it began looking into how the state’s health agency is handling access to the records.
“The deficiencies we uncovered at the Department of Health and Human Services represent a critical failure to protect the privacy of families, individuals and our most vulnerable, Utah’s children,” Cannon said in a statement Tuesday.
Utah’s Division of Child and Family Services holds approximately six million records related to 2,020,726 individuals in its information system. The documents include caseworkers’ notes and detail foster care, adoption, child abuse and neglect cases.
The information system for the Utah State Hospital currently contains health records for 10,587 patients.
Auditors found there are almost no limits on viewing those records for the employees who have accounts to use those databases.
“Users are expected to determine for themselves what range of viewing access is appropriate,” the auditor’s office noted. “There are no automated or proactive mechanisms to flag or prevent inappropriate access.”
Currently, 1,222 state employees have access to the DCFS information system. In addition to DHHS social workers, they include representatives from the Utah Office of Guardian ad Litem, which provides legal representation for children who have been abused or neglected; the Utah Psychotropic Oversight Panel, which oversees mental health medications for children in the state’s custody; and the Utah attorney general’s office.
The Utah State Hospital’s information system is accessible to 823 DHHS employees.
All of them have unfettered access to the health records of the 340 patients currently staying at the hospital. And although discharged patients’ records are “soft locked” after 60 days, users can still view them immediately by merely submitting a comment, according to the audit.
Allowing improper access to sensitive information entrusted to the state raises the risk of privacy violations, increased emotional trauma and reputational harm, Cannon’s office wrote.
It also warned that a single compromised account could expose entire databases to bad actors, noting the information “is highly valuable on the dark web.”
DHHS staffers have a low level of awareness about privacy policies and generally did not know how to report violations, the report said.
Employees on the Information Privacy and Security team keep records about policy violations in personal files, rather than using a centralized repository, it said.
And some use the terms “incident” and “breach” interchangeably — a mistake that could make it more difficult to identify and follow laws around responding to a large-scale data breach.
The auditors office did not conduct a full privacy audit, in an effort to secure the databases as quickly as possible and to avoid further jeopardizing confidentiality. Instead, it interviewed 21 employees about metrics and the health agency’s policies.
Responses from DHHS included with the audit outline plans to fix the problems identified, and it has already taken action on some issues.
Tuesday’s report comes less than two weeks after legislative auditors presented findings that DCFS workers had endangered thousands of Utah children by not adhering to deadlines and other policies. Both legislative staffers and Cannon will discuss their respective audits Wednesday morning in front of the Legislature’s Social Services Appropriations Committee, which makes recommendations on DHHS’s budget.
