SALT LAKE CITY — State officials have extended credit monitoring services for another year for anyone affected in Utah's health data breach that occurred a year ago.
And the state's Department of Technology Services, which houses more than 1.5 petabytes of secure information, vows it has made strides to protect Utah's data.
The credit monitoring service, offered by the state through Experian, has been automatically renewed for the approximately 59,500 Utahns who enrolled during the last year.
A second chance to enroll is also being offered to anyone who didn't take advantage of the service when it was initially made available.
"It is the most common request that I have received," said Sheila Walsh-McDonald, who was appointed as the state data security ombudsman following the March 10, 2012, breach. "There were many individuals who felt very strongly that the service needed to be longer than one year."
She said 25 percent of those impacted by the breach, in which European hackers gained access to health information housed on Utah Department of Health servers that were supposed to have been protected at the time both by a firewall and data encryption, have signed up for the service.
"Their sense was that the hackers were smart and that they'd wait a year before using the information," Walsh-McDonald said. "The hope is that the information will become more stale and less interesting."
Hackers are smart, said Department of Technology Services spokeswoman Stephanie Weiss. "They're changing things constantly to try to find their way in."
The department, which protects and maintains more than 500 physical servers and 1,400 virtual servers containing tax, health, workforce services, driver's license, birth and death certificate and more information collected statewide, experiences attacks daily.
"And it's ever-increasing," Weiss said. "But we're staying ahead of it and doing everything we can to protect the state's data."
Since the cyberattack of 2012, the department has not experienced any theft of data, and Weiss credits it to installation of an improved firewall, network monitoring around the clock, increased staff and enhanced training of the staff on policies and procedures.
The department also employs geo-blocking, which allows it to block access to its networks and websites coming from any specific region of the world.
"I think the public should feel confident that in light of the breach, the system is being much more responsive in protecting the data of individuals," Walsh-McDonald said.
The request for an additional year of monitoring was granted when funding was approved through a $1 million appropriation from the 2013 Legislature. It is estimated that the state spent $1.2 million for the first year of service from Experian.
A very, very small number of individuals whose health information was compromised in the breach have reported incidents of identity theft, but each incident is unique.
–Sheila Walsh-McDonald, State Data Security
Individuals have been receiving notices regarding the extended service, but also information from Experian asking them to renew service. Walsh-McDonald said renewal is unnecessary for anyone already enrolled.
Still, some individuals have secured their own credit monitoring coverage, are unfamiliar or hesitant with the product being offered, are concerned about being entered into yet another information database or are simply not interested, she said, adding that the service is merely a choice.
Walsh-McDonald said "a very, very small number" of individuals whose health information was compromised in the breach have reported incidents of identity theft, but each incident is "unique" and "hard to know if it is related to the breach."
In the more recent weeks, as people have filed their income taxes, some have been notified that their own Social Security numbers or that of someone in their household have already been claimed. Again, the instances, while concerning, cannot be traced back to the breach.
Individuals are encouraged to contact law enforcement and the Federal Trade Commission for options and additional action when they suspect anything outside of their permission is going on with their personal information.
For more information about the data breach or to sign up for credit monitoring, call or email the ombudsman at 801-538-6923 or firstname.lastname@example.org. Information on the breach is available online as well, at www.heath.utah.gov/databreach.