Utah's state auditor says the agency that is supposed to protect some of the state's most vulnerable residents instead left their private information far too exposed. A privacy audit completed last year after a whistleblower complaint found that sensitive personal data for more than 2 million Utahns, including children involved in abuse and foster care cases, was not properly safeguarded inside the Department of Health and Human Services. Auditor Tina Cannon told reporters the exposure created a "significant risk" for families across the state.
According to KSL, the audit found that confidential records for more than two million people were available without adequate safeguards and that DHHS had made sensitive documents accessible to over 1,200 users. Cannon said she waited several months before publicly releasing the report so the department could start fixing the problems. The review, launched after the whistleblower came forward, details weak access controls, loose rules for distributing records, and gaps in department policy.
Systems With Weak Controls
Auditors zeroed in on two major systems: the SAFE system used by the Division of Child and Family Services and eChart, the record system at the Utah State Hospital. Both allowed wide internal access without effectively enforcing or tracking who was looking at files, according to FOX13. The review also called out the Division's GRAMA team, which handles public records requests, for backlogs and, at times, sending sensitive documents to the wrong people.
Auditors warned that with such loose controls, a single compromised user account could expose an entire trove of records. They also said the department's incident response planning and staff training were not strong enough for the level of sensitive data DHHS handles.
Who Had Access
The audit says more than 1,200 people had access to the sensitive records in question, including case files involving abuse, neglect, and the foster family system. Cannon warned that the level of access is far broader than necessary, making it easier for credentials to be misused or stolen.
In a statement to KSL, DHHS said protecting the privacy of the Utahns it serves, particularly children and vulnerable adults, is a "foundational priority" and that "immediate steps were taken" after concerns were first raised in August 2025.
Audit Recommendations And The Road Ahead
The report recommends that DHHS tighten access controls, reconsider how sensitive documents are stored and shared, and bolster both training and incident response procedures. The Office of the State Auditor has already provided the findings to DHHS, and the Social Services Appropriations Committee has asked for a formal presentation. The full audit is available through reporting by FOX13. Lawmakers are set to hear Cannon's presentation Wednesday morning and could push for immediate fixes or additional oversight.
Beyond the technical tweaks and policy rewrites, the upcoming hearings will put DHHS leadership on the spot to show that Utah's most sensitive records are genuinely protected. The department says it has already begun making changes. For many Utah families whose data may sit in those systems, the lingering question is whether those changes will come fast enough and be strong enough to match the risk the auditors laid out.
