Published May 15, 2012
SALT LAKE CITY – Utah's chief technology officer has resigned following the theft of hundreds of thousands of online medical records from state computers by unknown hackers.
Gov. Gary Herbert on Tuesday announced a "comprehensive" response to the massive data breach, including the resignation of Stephen Fletcher, director of the state's Department of Technology Services.
Herbert's office said the state also is hiring a public relations firm to handle crisis communications.
Last month, hackers stole personal information of about 780,000 Medicaid recipients and participants in the Children's Health Insurance Program, including the Social Security numbers of about 280,000 of them.
The state has offered victims free credit monitoring.
Herbert called the compromise of even one person's private data a "completely unacceptable breach of trust" and offered an apology.
"The people of Utah rightly believe that their government will protect them, their families and their personal data," he said. "As a state government, we failed to honor that commitment. For that, as your governor and as a Utahn, I am deeply sorry."
Herbert's apology didn't stop Utah Democratic Chairman Jim Dabakis from going on the attack.
"With an administration marked by one mismanagement scandal after another, we understand why Gov. Herbert wants crisis communications professionals on the scene, but we think most Utahns believe he should pay for it out of his campaign money, not hard-earned taxpayers' dollars," Dabakis said.
To restore public trust, the state has opened bidding to public relations firms until May 21 for a "crisis communication plan and outreach to data breach victims."
On March 30, hackers broke into a Medicaid eligibility server. Officials say security tools on the computer server were installed improperly. Medical clinics used the server to validate claims of retirees on Medicaid and others. The stolen information included birth dates, addresses, and in some cases, Social Security numbers.
Some of the data was said to be indecipherable, or disconnected from a name, making it hard to assess the full damage. State officials have said the information should have been deleted from the server once a claim was validated, and should not have been retained as records.
Investigators have traced the hackers' IP address to eastern Europe, but haven't identified any suspects.
At a news conference Tuesday, Herbert said Fletcher was asked to resign and stepped down. He was appointed to the cabinet-level post in 2005 by former Gov. Jon Huntsman.
Herbert named Mark VanOrden, the information technology director for the Department of Workforce Services, as Fletcher's replacement.
Herbert also appointed Sheila Walsh-McDonald to the new post of health data security ombudsman. She will oversee individual case management, credit counseling and public outreach.