On Wednesday, a Utah House committee approved a bill (SB 20) by state Sen. Stuart Reid (R) that aims to alert beneficiaries of Medicaid or the state's Children's Health Insurance Program that their personal information will be stored in state databases, AP/Modern Healthcare reports.
The bill now advances to the full House for consideration (AP/Modern Healthcare, 2/7).
Background
The legislative action follows two recent data security breaches involving Utah Medicaid beneficiaries.
Last month, an employee of a third-party contractor lost an unencrypted thumb drive that contained personal information on about 6,000 Utah Medicaid beneficiaries, such as their:
- Names;
- Ages;
- Medicaid identification numbers; and
- Prescription drug use history.
Last year, hackers stole personal information on about 780,000 Utah Medicaid beneficiaries (iHealthBeat, 1/24). The breach occurred as Utah Department of Technology Services technicians were exchanging computer servers.
Stephen Fletcher -- executive director of UDTS -- said it appeared that "very sophisticated" hackers used passwords to access a server, but officials were uncertain about how the hackers bypassed security (iHealthBeat, 4/10/12).
Details of the Bill
Under SB 20, health care providers would be required to tell Medicaid and CHIP beneficiaries that their personal information will be stored in state databases when the providers disclose their privacy policy (AP/Modern Healthcare, 2/7).
The bill also would require UDTS to help convene a team of experts to:
- Determine best practices for securing personal data; and
- Ensure that such practices are implemented.
The legislation would require an audit to be conducted every two years to assess whether the best practices are being executed. If they are not, the Legislature and governor would be informed (Kolbasuk McGee, GovInfoSecurity, 2/1).