As many organizations that suffer a breach do, the Utah Department of Health is offering free credit monitoring services for one year to those who had their social security numbers compromised. Other than that, there isn’t much to be done for the breach victims. Unfortunately, many are still concerned their identities could be stolen among other potential hardships.
To prevent security snafus such as this, the Utah Department of Health should have been protecting their sensitive data with encryption and key management. Encryption would have rendered the breached data useless. The Utah Department of Technology holds millions of its citizen’s personal information and, unfortunately, didn’t take proper precautions to protect it. Alliance Key Manager, our encryption key management HSM, could have provided exactly what they would have needed to avoid a breach. With on-board encryption, sensitive data can be sent to the HSM, encrypted, and then sent back to where the data needs to live. Additionally, Alliance Key Manager also meets regulatory requirements - a hurdle for many companies trying to pass an audit around encryption key management.
When you see a situation like this in Utah, its naive to think that hackers can’t access your information in your own home state. But just ask a Medicaid recipient from Utah, and it is clear that these dangers aren’t so far from home. Utah’s governor spoke on behalf of its citizens saying "Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised."
It’s a difficult situation, but as they try to mend the fences, it is important to audit your own encryption and key management processes to ensure that what happens in Utah stays in Utah.
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.