Sensitive Milwaukee County information posted to Web
Technorati Tag: Security Breach
Date Reported:
2/11/08
Organization:
Milwaukee County (Wisconsin, USA)
Contractor/Consultant/Branch:
Citizens for Responsible Government Network
Victims:
Persons involved with the county
Number Affected:
Unknown
Types of Data:
"patient and legal records"
Breach Description:
Milwaukee County officials released a copy of their "county spending database" to the activist group Citizens for Responsible Government Network that contained sensitive personal information belonging to various persons who had contact with the county. Citizens for Responsible Government Network agreed to remove the confidential information at the request of county officials, but the information had been posted for as many as six (6) days.
Reference URL:
Milwaukee Journal Sentinel story
United Press International story
Report Credit:
Milwaukee Journal Sentinel
Response:
From the online sources cited above:
Citizens for Responsible Government Network agreed to dump descriptions from some 6,900 bills that county officials feared included names of people who had court-ordered psychiatric exams, other patient service information and guardianship case details.
The information had been displayed on the group's Web site for six days, after CRG obtained a database on all county spending for the last two years.
CRG pulled a few hundred descriptions on court spending from its Web site over the weekend, after county Clerk of Court John Barrett complained about the release.
The group on Monday trashed thousands more county records CRG had displayed that came from the Sheriff's Department, the House of Correction, the district attorney's office, the Department of Health and Human Services, the Personnel Review Board and the Division of Economic and Community Development.
The county will supply the group with an edited version of the same county spending database, after department heads get a chance to better scrutinize the records, said Cynthia Archer, acting director of the county's Department of Administrative Services.
On Monday, Archer said she "questioned the wisdom" of Barrett's office forwarding confidential information included in its vendor database in response to a public record request by the group.
[Evan] What wisdom?
County Executive Scott Walker said he had not heard of any complaints from anyone whose confidential information was placed on the Internet for nearly a week.
Barrett said he was happy the records that identified court-ordered psychiatric exams and guardianship details were removed from the site but still worried about whether they had been found by any browsers. That type of information is generally confidential.
[Evan] I am not sure if this information was indexable by the various search engines, but it should definitely be explored and attended to, if necessary.
"Now I have to concern myself with whether we can put the toothpaste back into the tube," Barrett said.
[Evan] This is an excellent analogy. Once information (toothpaste) is disclosed, it is very difficult if not impossible to re-secure it (put it back in the tube).
Commentary:
The database is backup (without the confidential information it appears) here; milwaukeecounty.headquarters.com/search_mke.aspx
It was a really poor decision to send information without looking at it or considering sensitivity issues. I bet they wish they had a "do over".
ACLU ALERT:
Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin, said the county's sloppy handling of confidential information could expose it to a lawsuit for invasion of privacy.
[Evan] We need more lawsuits like we need a hole in the head.
"It seems like careless disrespect for the rights of individuals receiving service from the county," Ahmuty said.
Past Breaches:
Unknown
Date Reported:2/11/08
Organization:
Milwaukee County (Wisconsin, USA)
Contractor/Consultant/Branch:
Citizens for Responsible Government Network
Victims:
Persons involved with the county
Number Affected:
Unknown
Types of Data:
"patient and legal records"
Breach Description:
Milwaukee County officials released a copy of their "county spending database" to the activist group Citizens for Responsible Government Network that contained sensitive personal information belonging to various persons who had contact with the county. Citizens for Responsible Government Network agreed to remove the confidential information at the request of county officials, but the information had been posted for as many as six (6) days.
Reference URL:
Milwaukee Journal Sentinel story
United Press International story
Report Credit:
Milwaukee Journal Sentinel
Response:
From the online sources cited above:
Citizens for Responsible Government Network agreed to dump descriptions from some 6,900 bills that county officials feared included names of people who had court-ordered psychiatric exams, other patient service information and guardianship case details.
The information had been displayed on the group's Web site for six days, after CRG obtained a database on all county spending for the last two years.
CRG pulled a few hundred descriptions on court spending from its Web site over the weekend, after county Clerk of Court John Barrett complained about the release.
The group on Monday trashed thousands more county records CRG had displayed that came from the Sheriff's Department, the House of Correction, the district attorney's office, the Department of Health and Human Services, the Personnel Review Board and the Division of Economic and Community Development.
The county will supply the group with an edited version of the same county spending database, after department heads get a chance to better scrutinize the records, said Cynthia Archer, acting director of the county's Department of Administrative Services.
On Monday, Archer said she "questioned the wisdom" of Barrett's office forwarding confidential information included in its vendor database in response to a public record request by the group.
[Evan] What wisdom?
County Executive Scott Walker said he had not heard of any complaints from anyone whose confidential information was placed on the Internet for nearly a week.
Barrett said he was happy the records that identified court-ordered psychiatric exams and guardianship details were removed from the site but still worried about whether they had been found by any browsers. That type of information is generally confidential.
[Evan] I am not sure if this information was indexable by the various search engines, but it should definitely be explored and attended to, if necessary.
"Now I have to concern myself with whether we can put the toothpaste back into the tube," Barrett said.
[Evan] This is an excellent analogy. Once information (toothpaste) is disclosed, it is very difficult if not impossible to re-secure it (put it back in the tube).
Commentary:
The database is backup (without the confidential information it appears) here; milwaukeecounty.headquarters.com/search_mke.aspx
It was a really poor decision to send information without looking at it or considering sensitivity issues. I bet they wish they had a "do over".
ACLU ALERT:
Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin, said the county's sloppy handling of confidential information could expose it to a lawsuit for invasion of privacy.
[Evan] We need more lawsuits like we need a hole in the head.
"It seems like careless disrespect for the rights of individuals receiving service from the county," Ahmuty said.
Past Breaches:
Unknown
Posted by Evan Francen at 2/13/2008 5:00 PM 
Categories: Milwaukee County, Citizens for Responsible Government Network, Employee Mistake
Categories: Milwaukee County, Citizens for Responsible Government Network, Employee Mistake
Posts Atom 1.0
Comments