On this blog, we write a lot about cybercriminals defeating organizations’ online security measures (often because they’re woefully inadequate) or tricking consumers via some phishing or social engineering scheme. But sometimes you have to wonder whether the people responsible for other people’s personal information could make a bigger mess if they were intentionally trying to divulge the data.
Take for example California’s Department of In-Home Supportive Services (IHSS), which reported late last week that more than 700 000 records containing personal records of caregivers and patients were either lost or stolen. The department, which organizes and oversees the provision of home attendants and visiting nurses for elderly and disabled people, says that Hewlett Packard, with which it contracted to manage the data, notified it that a package containing microfiche with payroll data was missing from a package it sent via the U.S. Postal Service. Among the items were 375 000 workers’ names, Social Security numbers, and wages, plus the names and state identification numbers of care recipients. The package, which HP sending to California’s Compensation Insurance Fund arrived with the container damaged and some of the records missing.
A Los Angeles Times article quoted Michael Cox, a spokesman for the Service Employees International Union, the labor union that represents hundreds of thousands of home care workers in the state:
"[The fact that such] primitive security measures are still in place is inexplicable.”
I think Cox’s characterization was a bit generous. It doesn’t seem out of place to look at a cardboard box containing pictures of unencrypted records and ask: What security measures? I have no idea whether California law allows it, but it would be perfectly just for the people whose information was handled so carelessly to sue the state. Perhaps the pain in the state’s purse strings will cause it to set the bar for maintaining or distributing sensitive data a little higher.
In March, computer storage devices containing the names, Social Security numbers, and other private records of about 800 000 adults and children were lost in transit between an IBM facility and the California Department of Child Support Services. See if this sounds familiar: a container holding the memory devices broke during shipping, allowing some of them to spill out.