Employee Errors Expose PHI, PII, Social Security Numbers

The Illinois Department of Corrections (IDOC) and the Colorado Office of Information Technology (OIT) both recently announced data breaches resulting from employee error.

On August 14, 2015, IDOC determined that the names, job titles, salaries and Social Security numbers of more than 1,000 employees were mistakenly included in a response to a Freedom of Information Act (FOIA) request, the Chicago Tribune reports.

The person who received the information forwarded it to an inmate without realizing it contained personal information. His account was verified via a polygraph test, according to the Tribune.

The data was found by prison mailroom staff during an inspection of incoming mail, and the documents were “immediately secured in the facility vault,” IDOC said in a statement.

According to IDOC, the release of personal information was the result of human error. The department says it’s conducting a full audit of its FOIA unit, and is improving its procedures to prevent a recurrance.

All employees whose personal information was included in the document are being offered access to credit monitoring services.

Similarly, Colorado’s OIT recently announced that a technical error caused approximately 3,000 letters to be sent to the wrong address between May 25 and July 5 of 2015.

According to the OIT, 1,622 of the letters were intended for Medicaid recipients and contained personal health information, and 1,069 were intended for Colorado Department of Human Services (CDHS) clients and included Social Security numbers. Another 353 CDHS letters included personally identifiable information such as names, addresses and state identification numbers.

All those affected are being offered access to credit monitoring services.

“The error occurred during a technical code change made by a vendor in late May which impacted fields of information in an unanticipated manner,” OIT said in a statement. “The initial problem was reported to OIT on July 1. After determining the problem was wider spread, a fix was put into place July 5.”

“While the fix corrected the problem, OIT and its vendor have put in additional quality checks to ensure such a situation does not occur again,” the statement adds. “The first verifies that the names printed on letters match the individuals linked to a case; the second verifies that the address matches the intended address for the communication. If either check fails, the letter is not mailed.”

“We are stewards of people’s personal information and we take that responsibility very seriously,” Colorado CIO Suma Nallapati said in a statement. “We are doing everything possible to ensure this does not happen again.”

Recent eSecurity Planet articles have examined the risks introduced by working with third-party vendors and the importance of offering security training to employees.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles