State auditor rates DHHS access controls "critical," flags whistleblower retaliation and incident-response gaps
Loading...
Summary
A state auditor's data-privacy audit found excessive, poorly controlled access to DHHS records (1,222 users with access to millions of records), inadequate incident response and reported retaliation against whistleblowers; DHHS agreed with most findings and outlined technical fixes and policy changes.
A state auditor's office audit presented to the Social Services Appropriations Committee described critical data-privacy and security weaknesses at the Utah Department of Health and Human Services (DHHS), including broad user access to highly sensitive records, insufficient incident-response procedures and evidence of retaliation against whistleblowers.
"Across the state, you have 1,222 users that have access to 6,000,000 records covering over 2,000,000 people," an auditor told the committee, calling the excessive-access finding "critical." Auditors said they withheld some technical details from the public presentation to avoid exposing vulnerabilities and offered to brief legislators in a more controlled setting.
The audit found inadequate monitoring and quality checks of who accesses sensitive records, cited delays and misclassification in incident response, and reported cases in which employees who raised concerns experienced retaliation rather than receiving corrective action. Audit staff warned that without stronger access controls, logging and active monitoring, a single compromised user account could expose large volumes of personal data.
Examples and recommended fixes: Audit staff member Alex Nilsen suggested low-cost, pragmatic controls such as requiring a documented justification when accessing cases outside a user's normal assignment, logging and periodic reviews of access patterns, and automated monitoring for anomalous behavior. Auditors said they held publication of the full report to give DHHS time to implement recommendations.
Agency response and progress: DHHS executive director Tracy Gruber acknowledged the seriousness of the findings and said the department has centralized privacy and security teams since a 2022 merger, improved policies and begun addressing remaining vulnerabilities. Kyle Dunn, director of data systems and evaluation at DHHS, described steps already taken: reviews of user access at DCFS and the Utah State Hospital, tightened deprovisioning timelines, inputting activity logs into business-intelligence tools for regular review, and drafting a formal incident-response policy and breach-determination SOP with expected milestones by March.
The committee discussed the tension between operational needs (timely case access for workers) and security controls. Audit staff emphasized that controls should preserve timely access while adding minimal friction and stronger monitoring to deter inappropriate access.
