A new audit issued by the Utah Office of the State Auditor, triggered by an internal whistleblower complaint, has revealed significant security gaps within the state’s Department of Health and Human Services.
State Auditor Tina Cannon presented the findings to the Social Services Appropriations Subcommittee on Wednesday, detailing how the agency failed to implement procedures to detect and manage data breaches.
While the DHHS was made aware of these concerns in August 2025, and has begun taking steps to address concerns, the audit found the system left the private information of millions of Utahns vulnerable.
The report found that more than 1,000 users statewide had access to 6 million records covering over 2 million people. According to auditors, this access was not limited to assigned cases or tasks and access logs were not actively monitored, meaning when an employee views an individual’s sensitive case records, there was often no record of who accessed the file or when and why they did.
Cannon noted in the hearing that when auditors asked for an “access graph” or “schema” to visualize who could reach this data, the DHHS could not provide one.
While the state auditor typically focuses on financial reports that are released soon after an initial investigation, Cannon said the sensitive nature of this report led her office to delay its public release. The delay was intended to give the DHHS a window to close security gaps before the vulnerabilities were made public.
Children, vulnerable patients at risk
Cannon warned a single compromised account can expose massive sensitive repositories; inappropriate access can go undetected, increasing risk to children and vulnerable patients.
“With one access, you can then expose the most critically important data in the most vulnerable of situations,” Cannon said. “That is the last thing we would want to happen.”
The auditing department issued three primary recommendations, and the first was flagged as “critical”: implementing tighter access controls and monitoring.
The DHHS agreed with the findings in part, but expressed concerns at the hearing that overly restrictive controls could cause delays in active investigations. Agency leadership specifically noted that the Division of Child and Family Services would require some flexibility to manage high-volume workloads and turnover.
The audit’s other findings urged the department to reevaluate record handling for sensitive requests — such as child abuse investigations — and to improve incident response training. The investigation revealed a lack of employee preparedness: 9 out of 21 surveyed staff members were unaware of incident response policies or where to find them.
Department and legislative response
Tracy Gruber, executive director of DHHS, told the subcommittee that the department views the independent audit as critical to improving its operations. Gruber confirmed that some policy changes are expected to take effect in March.
Addressing the broad access currently given to employees, department officials explained that staff need certain data to perform their duties, but the agency is now working to determine the exact “technical and administrative controls” required to balance job requirements with data privacy.
Legislative leaders emphasized that while the vulnerabilities in the department were a concern, no actual breach has been confirmed.
“There was no sensitive data that was given,” Senate President J. Stuart Adams, R-Layton, told Deseret News. “It appears that this was simply something that the Department was made aware of. They actually improved their processes.”
Sen. Kirk Cullimore, R-Sandy, acknowledged that no government agency in the world is fully securing data but Utah is aiming to be a national leader in government data security following the passage of the Government Data Privacy Act a few years ago.
“Every year, there are new benchmarks that they have to meet,” Cullimore told Deseret News. “I would expect Utah will be one of the first states ... to have data privacy and retention policies, not only in place for the new digital era, but actively followed and implemented.”