State of Calif. mistakenly publishes thousands of SSN online

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.kcra.com/news/State-of-Calif-mistakenly-publishes-thousands-of-SSN-online/-/11797728/17723434/-/tad6swz/-/index.html?absolute=true

SACRAMENTO, Calif. (KCRA) —

A KCRA 3 investigation reveals the State of California has mistakenly
published thousands of Social Security numbers on the Internet.

The list includes Medi-Cal providers in 25 California counties,
including Amador, Calaveras, Colusa, Nevada, Placer, Sutter, Tuolumne
and Yuba.

In an exclusive interview with KCRA 3, state officials from the
Department of Health Care Services admitted to posting nearly 14,000
Social Security numbers belonging to Medi-Cal providers working for
In-Home Supportive Services.

"This was inadvertent and we sincerely regret this has happened," said
Norman Williams, deputy director for public affairs for the Department
of Health Care Services.

The confidential information was available on the state's Medi-Cal
website for anyone to see for a period of nine days, before the
mistake was discovered and the numbers removed.

KCRA 3 interviewed several providers from In-Home Supportive Services
about the security breach.

"It's really going to hurt a lot of people, and the bad guys are going
to be out there in seventh heaven," said Julie Hansen, who works 50
hours a week as an in-home care provider.

Hansen makes $10 an hour taking care of her son, Joe Marques, who is
legally blind and takes eight separate medications to combat seizures.

Social Security numbers are a key ingredient for identity theft.

"If we do get bad reports or money against our accounts, they should
be liable," Hansen told KCRA 3. "But they've got the lawyers, we
don't.
"

This is the second security breach involving IHSS workers in the past
five months.

As KCRA 3 reported last July, a database breach by the Department of
Social Services put three-quarters of a million providers at risk.

At the time, the state offered to provide free credit monitoring for
several months, and pledged the problem would never happen again.

But now it has -- this time under the Department of Health Care
Services, which does the billing for IHSS providers, who are employed
through the Department of Social Services.

"I said, again? This has already happened once," said Ann, another
in-home worker.

Ann declined to provide her last name, saying she was concerned about
becoming a victim of identity theft.

"It just gives the overall feeling of uneasiness," Ann told KCRA 3.
"You know, like impending doom, like somebody is going to steal money
from me and I'm not going to know until after it happens."

KCRA 3 also spoke with William Reed, executive vice president of
United Domestic Workers, the union representing in-home care workers.

"The first reaction is -- is anybody at the helm?" Reed said. "You
know, do they really know what they are doing? And do they really care
about safeguarding that information?"

"We've taken some very strong action to help deal with the problem,"
said Williams, of the Department of Health Care Services. "We've
offered a year of free credit-monitoring service and we've taken some
steps to protect the information more carefully.
"

Williams declined to name the specific steps for security reasons, but
added, "There is an ongoing internal investigation and we're working
to understand the problem better, to make sure it doesn't happen
again."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.