More than two million Utah residents – including children involved in the state’s child welfare system and patients receiving psychiatric care – have had their sensitive personal data left vulnerable due to inadequate security measures within the state’s health agency, according to a newly released audit.
The audit, conducted by the Office of the Utah State Auditor, was initiated following a whistleblower complaint and revealed that access to confidential case records was readily available to over 2,000 employees. Utah State Auditor Tina M. Cannon described the findings as a “critical failure to protect the privacy of families, individuals and our most vulnerable, Utah’s children.”
The Division of Child and Family Services (DCFS) maintains approximately six million records pertaining to 2,020,726 individuals, encompassing caseworkers’ notes and details related to foster care, adoption, and cases of child abuse and neglect. The Utah State Hospital’s information system currently holds health records for 10,587 patients. Auditors found minimal restrictions on employee access to these databases, with users largely left to determine appropriate viewing access themselves. “You’ll see no automated or proactive mechanisms to flag or prevent inappropriate access,” the report stated.
Currently, 1,222 state employees have access to the DCFS information system, including personnel from the Utah Office of Guardian ad Litem, the Utah Psychotropic Oversight Panel, and the Utah Attorney General’s office, in addition to DHHS social workers. The Utah State Hospital’s system is accessible to 823 DHHS employees, all of whom have unfettered access to the records of the hospital’s 340 current patients. Even after a patient is discharged, their records remain readily accessible after 60 days with only a simple comment submission required to unlock them, according to the audit.
The audit highlighted a lack of awareness among DHHS staff regarding privacy policies and reporting procedures. Records of policy violations were found to be maintained in personal files rather than a centralized system. Inconsistencies in terminology – with “incident” and “breach” used interchangeably – could hinder effective response to potential large-scale data breaches.
Auditors deliberately refrained from conducting a full privacy audit to expedite the securing of databases and minimize further risk to confidentiality. Instead, the assessment involved interviews with 21 employees regarding metrics and agency policies. DHHS officials have outlined plans to address the identified deficiencies and have already begun implementing some corrective measures, according to responses included in the audit report.
The release of this report comes less than two weeks after separate legislative audits revealed that DCFS workers had placed thousands of Utah children at risk through failures to adhere to established policies and deadlines. Both Auditor Cannon and legislative staff are scheduled to discuss their respective findings Wednesday morning before the Legislature’s Social Services Appropriations Committee, which will consider recommendations regarding the DHHS budget.
