Today the Office of the Utah State Auditor released a privacy audit which identified several critical weaknesses in the Department of Health and Human Services (DHHS), exposing the sensitive personal data of over 2 million Utahns, including children and psychiatric patients, to significant risk. The privacy audit, initiated following a whistleblower complaint, found that DHHS has inadequate privacy incident response procedures and insufficient monitoring in place, leading to under-reported privacy incidents and potential exposure of highly sensitive personal data. Privacy audits are performed by the Utah State Auditor’s division of State Privacy Audit, as part of the statutory responsibility of the office and its independent oversight of government entities.
The audit highlighted two major data repositories: the SAFE system is used by the Division of Child and Family Services (DCFS) and contains over 6 million records on more than 2 million distinct individuals. eChart is used by the Utah State Hospital (USH) maintaining sensitive records of over 10,000 individuals.
“The deficiencies we uncovered at the Department of Health and Human Services represent a critical failure to protect the privacy of families, individuals and our most vulnerable, Utah’s children,” said State Auditor Tina M. Cannon. “When systems that store confidential data about children and individuals lack fundamental safeguards, the potential for misuse and long-term harm is immense. This is not merely saved data or historical files. These are key aspects that represent and open people’s private lives. We urge DHHS to implement our recommendations without delay, to create strong protections for personal privacy and work to rebuild public trust in order to ensure that the privacy of every Utahn they serve is securely and appropriately protected.”
The audit revealed systemic issues in access control management, record dissemination handling, and monitoring practices across DHHS in handling sensitive records.
The audit outlined three major findings:
Finding 1: Inadequate Access Controls in SAFE and eChart Systems
Both systems permit broad access to sensitive records without enforcing or adequately monitoring access. A single compromised account could expose entire data repositories and opens the threat of identity theft, especially critical for children’s data that is highly valuable on the dark web.
Finding 2: Lack of Monitoring and Quality Control related to the DCFS’s GRAMA Team
The Division of Child and Family Services’ “GRAMA team,” which handles public records requests, faces significant backlogs and have released sensitive documents to the wrong parties.
Finding 3: Inadequate Incident Response Preparedness and Training
DHHS lacks a clear and effective incident response and training programs. Policies are poorly defined, and interviews with staff revealed widespread confusion.
The Office of the Utah State Auditor has provided these findings and recommendations to the Department of Health and Human Services. The full report can be found on the Auditor’s official website or below.
The Social Services Appropriations Committee has asked Auditor Cannon to present the findings of this audit at their meeting on February 11, 2026, which begins at 9 am. Following her presentation, she will take questions from the committee concerning these issues.
