Massachusetts DPL mails disks with Social Security numbers
Technorati Tag: Security Breach
Date Reported:
10/3/07
Organization:
State of Massachusetts
Contractor/Consultant/Branch:
Division of Professional Licensure
Victims:
Professionals licensed by the State of Massachusetts
Number Affected:
450,000
Types of Data:
Name, address and Social Security number
Breach Description:
Employees of the State of Massachusetts Department of Professional Licensure inadvertently sent disks containing confidential information to marketing firms and other undisclosed businesses. It is not uncommon to send names and addresses to various organizations as part of the state's public records law, but the mistake occurred when the Social Security numbers were not deleted from the records first.
Reference URL:
Letter from the Director
Questions and Answers
Worcester Telegram & Gazette
Report Credit:
Steve LeBlanc, Associated Press
Response:
From the Letter from the Director, Questions and Answers and online article cited above:
"State regulators inadvertently distributed disks containing personal data, including Social Security numbers, of 450,000 licensed professionals in the state."
"DPL regrets to inform you that the social security numbers of a number of DPL and DHPL licensees were inadvertently included on computer disks mailed to individuals seeking publicly available information about DPL and DHPL licensees."
"It appears that the 28 disks at issue erroneously included social security numbers as a result of a programming error and the upgrading of computer hardware and software."
"The new software, which the state began using on Sept. 11, failed to delete the Social Security numbers of those on the lists - including engineers, nursing home administrators, certified public accountants and other professionals - when transferring the information to disks."
"When a staff member discovered the error, officials said they immediately contacted all those who had been sent the disks, requesting the disks not be used and be returned immediately."
"Of the 28 disks mailed out, all but two have been recovered."
"The intended recipients of these two disks for these two boards have agreed to return them. Moreover, there is no indication that any social security number has been stolen or used by anyone."
[Comfyllama] Hey victim, does this make you feel better? If it does, then I know Nigerians that would love to have you help them transfer money out of their country.
Q. Has DPL taken steps to make sure this does not happen again?
A. Yes. The programming error has been corrected and other steps have been implemented to safeguard your social security number and other personal data.
[Comfyllama] I would love to know what these "steps" are. Might a couple of them be to test new applications and include information security very early on in the upgrade project?
"Individuals who are concerned about their personal information can contact the Division of Professional Licensure for assistance."
[Comfyllama] Persons with question about this breach can email:
and/or call the special hot line at
Commentary:
I feel comfortable with the state's reaction to the breach. I sense honesty and a real desire for forgiveness. Don't get me wrong though, there is NO excuse for treating sensitive personally-identifiable information in this manner. The state has received assurances, and in some cases signed affidavits from the organizations who received the disks in question stating that they have not and will not access any of the data on the disks. Not sure if this would make me feel any better or not if I were a victim. I don't think so.
I can think of at least two security procedures that should be put into place based on the very limited information we have. One, incorporate information security into all software implementation, upgrade, and decommissioning projects at the very beginning. This is especially important for any application that may access, process, transmit, and/or store confidential data. The second procedure to be put in place would surround the process of sharing information outside the department. All potentially sensitive information must be verified before any transfer to another entity.
Past Breaches:
Unknown
Date Reported:10/3/07
Organization:
State of Massachusetts
Contractor/Consultant/Branch:
Division of Professional Licensure
Victims:
Professionals licensed by the State of Massachusetts
Number Affected:
450,000
Types of Data:
Name, address and Social Security number
Breach Description:
Employees of the State of Massachusetts Department of Professional Licensure inadvertently sent disks containing confidential information to marketing firms and other undisclosed businesses. It is not uncommon to send names and addresses to various organizations as part of the state's public records law, but the mistake occurred when the Social Security numbers were not deleted from the records first.
Reference URL:
Letter from the Director
Questions and Answers
Worcester Telegram & Gazette
Report Credit:
Steve LeBlanc, Associated Press
Response:
From the Letter from the Director, Questions and Answers and online article cited above:
"State regulators inadvertently distributed disks containing personal data, including Social Security numbers, of 450,000 licensed professionals in the state."
"DPL regrets to inform you that the social security numbers of a number of DPL and DHPL licensees were inadvertently included on computer disks mailed to individuals seeking publicly available information about DPL and DHPL licensees."
"It appears that the 28 disks at issue erroneously included social security numbers as a result of a programming error and the upgrading of computer hardware and software."
"The new software, which the state began using on Sept. 11, failed to delete the Social Security numbers of those on the lists - including engineers, nursing home administrators, certified public accountants and other professionals - when transferring the information to disks."
"When a staff member discovered the error, officials said they immediately contacted all those who had been sent the disks, requesting the disks not be used and be returned immediately."
"Of the 28 disks mailed out, all but two have been recovered."
"The intended recipients of these two disks for these two boards have agreed to return them. Moreover, there is no indication that any social security number has been stolen or used by anyone."
[Comfyllama] Hey victim, does this make you feel better? If it does, then I know Nigerians that would love to have you help them transfer money out of their country.
Q. Has DPL taken steps to make sure this does not happen again?
A. Yes. The programming error has been corrected and other steps have been implemented to safeguard your social security number and other personal data.
[Comfyllama] I would love to know what these "steps" are. Might a couple of them be to test new applications and include information security very early on in the upgrade project?
"Individuals who are concerned about their personal information can contact the Division of Professional Licensure for assistance."
[Comfyllama] Persons with question about this breach can email:
and/or call the special hot line at
Commentary:
I feel comfortable with the state's reaction to the breach. I sense honesty and a real desire for forgiveness. Don't get me wrong though, there is NO excuse for treating sensitive personally-identifiable information in this manner. The state has received assurances, and in some cases signed affidavits from the organizations who received the disks in question stating that they have not and will not access any of the data on the disks. Not sure if this would make me feel any better or not if I were a victim. I don't think so.
I can think of at least two security procedures that should be put into place based on the very limited information we have. One, incorporate information security into all software implementation, upgrade, and decommissioning projects at the very beginning. This is especially important for any application that may access, process, transmit, and/or store confidential data. The second procedure to be put in place would surround the process of sharing information outside the department. All potentially sensitive information must be verified before any transfer to another entity.
Past Breaches:
Unknown
Posted by Evan Francen at 10/3/2007 11:04 PM 
Categories: Poor Business Practice, State of Massachusetts
Categories: Poor Business Practice, State of Massachusetts
Posts Atom 1.0
Comments