Everything we learned from the Utah DHHS privacy audit hearing – Deseret News
Everything we learned from the Utah DHHS privacy audit hearing – Deseret News
https://www.deseret.com/utah/2026/02/11/dhhs-privacy-audit-hearing/
Publish Date: 2026-02-12 00:06:00
Source Domain: www.deseret.com
A new audit issued by the Utah Office of the State Auditor, triggered by an internal whistleblower complaint, has revealed significant security gaps within the state’s Department of Health and Human Services.
State Auditor Tina Cannon presented the findings to the Social Services Appropriations Subcommittee on Wednesday, detailing how the agency failed to implement procedures to detect and manage data breaches.
While the DHHS was made aware of these concerns in August 2025, and has begun taking steps to address concerns, the audit found the system left the private information of millions of Utahns vulnerable.
The report found that more than 1,000 users statewide had access to 6 million records covering over 2 million people. According to auditors, this access was not limited to assigned cases or tasks and access logs were not actively monitored, meaning when an employee views an individual’s sensitive case records, there was often no record of who accessed the file or when and why they did.
Cannon noted in the hearing that when auditors asked for an “access graph” or “schema” to visualize who could reach this data, the DHHS could not provide one.
While the state auditor typically focuses on financial reports that are released soon after an initial investigation, Cannon said the sensitive nature of this report led her office to delay its public release. The delay was intended to give the DHHS a window to close security gaps before the vulnerabilities were made public.
Children, vulnerable patients at risk
Cannon warned a single compromised account can expose massive sensitive repositories; inappropriate access can go undetected, increasing risk to children and vulnerable patients.
“With one access, you can then expose the most critically important data in the most vulnerable of situations,” Cannon said. “That is the last thing we would want to happen.”
The auditing department issued three primary recommendations, and the first was flagged as…
