by Shoshana Walter, the Center for Investigative Reporting
When a thief rang up $2,000 in charges at Victoria’s Secret, Gymboree and Gap on Rosa Franco’s credit card, she quickly surmised the reason – the state of California had mistakenly left her credit card and Social Security numbers exposed.
The state Department of Developmental Services, which serves Franco’s 5-year-old daughter and thousands of others with disabilities, had in March 2012 left stacks of billing and patient records in an abandoned, unsecured office. In another case, an employee in November left his unencrypted computer in his unlocked car overnight. The computer and more than 18,100 patient records disappeared.
“They send you a letter saying, ‘Oh, I’m sorry, oops, your information is lost!’ ” said Franco, 46, who lives in Los Angeles with her husband and daughter, who has Down syndrome.
“Thousands of people got that letter,” she said. “It’s unfair. We already have enough stress with our kids being special needs. Now I have to watch my daughter’s Social Security number.”
The security breach was one of thousands reported by state agencies over the past decade, the result of hacking, employee carelessness and theft. In 2012 alone, 16 state agencies and affiliated nonprofits reported major data breaches, according to state data reviewed by The Center for Investigative Reporting.
Despite numerous laws and state policies aimed at protecting privacy, consumer information represents easy pickings for hackers and thieves. State agencies frequently fail to protect the confidentiality of patients and consumers, including those who are the most vulnerable to fraud and identity theft – children, the elderly and the disabled.
25 Percent Not Encrypted
Nearly 10 years of state-collected data on computer security incidents involving confidential and private information reveals state agencies do not always encrypt computers, even when they contain confidential information affecting thousands of people. Of the 283 computers and phones containing confidential information that were reported lost and stolen, 25 percent were not encrypted.
In some cases, employee carelessness, not hacking, leads to security breaches. In 1,646 cases since 2003, confidential information was released after state employees lost equipment and documents or mailed and posted private information to the wrong place, according to a state database of preliminary reports.
About one-third of cyberbreaches are successful, according to the database. Agencies reported 49 out of 154 computer viruses, denial-of-service attacks and hacking attempts breached security. On several occasions, computers were disconnected from the network and destroyed after being infected with malware.
Michele Robinson, acting director of the state’s Office of Information Security, said the agency tries to continually train and instruct information technology staff across the state to protect and encrypt sensitive information.
“Obviously, we’ve seen incidents where they have not done that,” she said. “From our perspective, one of those is one too many.”
The cases run the gamut, from employee error to hack attacks to poor information security practices.
In little more than two years, for example, the Department of Motor Vehicles has mailed the wrong driver’s license or vehicle registration to more than 1,000 people, according to internal records. Last year, a courier left the keys in the ignition as he delivered a package and 283 Social Security numbers and driver’s licenses were stolen.
In April 2012, a thief stole an unencrypted computer from a state Department of Public Health service provider in Palm Springs that contained confidential information on 4,400 patients with AIDS. A month later, a package containing Social Security numbers for 748,902 elderly home care recipients and their caretakers was stolen en route to a state insurance office.
In November, the Department of Health Care Services accidentally posted 14,000 Social Security numbers for in-home care workers online. Nine days later, employees realized their mistake and took down the list. But workers were alarmed to find the information easily on Google.
Encryption has been a required state practice for years. A memo in 2008 from the Office of Information Security and Privacy Protection reminded state agencies to encrypt all devices containing confidential information, a requirement long outlined in the State Administrative Manual. Yet many agencies have not followed the procedure, allowing electronic information to fall into harm’s way.
“We definitely need to find out how rampant this situation is and rectify the situation as soon as possible,” said Assemblyman Ed Chau, D-Monterey Park, chairman of the Assembly’s Select Committee on Privacy. “Building a firewall to safeguard information is crucial.”
Without encryption, anyone can override a computer’s password and gain access to its confidential contents by removing the computer’s hard drive, using software or guessing. Technology experts say encryption is an easy procedure for any information technology department.
“People don’t realize that passwords are quite trivial,” said Seth Schoen, a senior staff technologist for the Electronic Frontier Foundation. “They should encrypt their data storage on every device. In the absence of that, whoever gets the device will be able to read it.”
By law, the California Highway Patrol is required to take reports on each security incident and investigate crimes involving state computers or those that are on state property. But Sgt. Kelly Dixon, an investigator in the Computer Crimes Investigation Unit, said limited resources make it impossible for the unit to investigate every crime.
“Theoretically speaking, we would be responsible,” he said. “Practically speaking, the local agency would come and take the report. We’re not going to investigate a vehicle burglary.”
Records show many agencies do not always send out notification letters immediately after security breaches, despite California’s first-in-the-nation law requiring businesses and state agencies to notify anyone whose unencrypted private information might have been accessed by outsiders.
Breaches involving theft of equipment are rarely investigated or lead to an arrest.
Last September, a Highway Patrol officer was shopping at a Sacramento Barnes & Noble when a thief broke into the trunk of his personal car, according to a state property report. The loot included a Highway Patrol-issued.40-caliber Smith & Wesson pistol, three .40-caliber high-capacity magazines and the officer’s unencrypted laptop containing confidential information, according to the database.
The officer called the Sacramento Police Department to make a report; no arrest was made.
In the case of the Department of Developmental Services records, a supervisor of a program for developmentally disabled infants and toddlers at the North Los Angeles County Regional Center had left his work laptop, personal laptop and iPhone in his car overnight on a street in Santa Monica, according to a police report. When he returned in the morning, the items were gone.
Although the state supervisor reported the thefts to the Santa Monica Police Department, the case never was investigated. Santa Monica police Sgt. Richard Lewis said the employee did not call police to collect evidence but dropped off a report he filled out himself, which meant the case would not be examined.
“I guarantee this case was never looked at,” he said, adding that the man did not identify himself as a state employee. “If we know it’s state property, we do a full-blown report.”
The Department of Developmental Services did not report the incident to the Highway Patrol or notify affected patients until two months later.
Nancy Lungren, the department’s assistant director of communications, could not explain the delay but said the regional center “has been reminded of their responsibility to submit timely reports on these type of security incidents.”