More than two million people’s sensitive case records — related to child welfare in Utah and psychiatric treatments at the Utah State Hospital — have not been adequately protected and are easily accessible to over 2,000 employees, according to a report published Tuesday. After a whistleblower reached out to a hotline run by Utah Auditor Tina Cannon’s office, it began looking into how the state’s health agency is handling access to the records.

Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026. The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are lo

While the health system stated it has no evidence that the information has been used for identity theft or fraud, it is offering resources to help individuals protect their data. News Center 7 previously reported that the organization became aware of suspicious activity within its network systems on or about May 20, 2025. The health network said that unauthorized access occurred between April 9, 2025, and May 20, 2025.