DHR fires worker who posted Social Security numbers on Internet

July 23, 2010|By Liz F. Kay, The Baltimore Sun

A state employee who posted the Social Security numbers of nearly 3,000 Maryland residents online for weeks has been fired, according to the Maryland Department of Human Resources.

"As of today, the employee is no longer employed with the state," said Nancy Lineman, DHR spokeswoman. She declined to comment further about the employee, stating that this was a personnel matter. "We are still not sure why he used the data in an unauthorized way," Lineman said.

Lineman said that the DHR is still investigating this incident and that no decision has been made about the filing of criminal charges.

Aaron Titus, a Fort Washington resident who volunteers his time for the Liberty Coalition, a nonprofit privacy advocacy group, found the numbers through a Google search this month and reported them to the DHR.

The state worker had posted the personal information of nearly 3,000 clients of the human resources department onto a private website in April. The data had been stored in a folder marked "downloads" and was not protected by a password, encryption or a firewall.

Titus said he has been receiving calls daily from assistance recipients who say the department hasn't been answering their questions about the incident — and they don't want to be troublemakers and risk losing their benefits.

"If DHR has gotten to a point in the investigation where they're able to make an employment decision, then I think it is appropriate for them to share that information with the victims," he said.

Knowing what the employee did would help them better understand their risk of exposure, Titus said.

"Do they need to be vigilant for the next six months, the next three years? What do they need to do?" he said.

DHR sent affected clients a letter to notify them of the breach. Victims were offered a free year of credit monitoring, but they must call an agency hot line before Oct. 29 to receive the benefit.

Lineman declined to identify the worker or his job earlier this week. None of the affected clients were aware of unauthorized financial activity.

She also stressed then that the breach was caused by a staff member acting against protocol. Lineman said employees are given the minimum access necessary to perform their jobs and that access is monitored and periodically reviewed.

The state agency handles thousands of applications a month for government services, including food stamps and emergency medical benefits, said Lineman. Because the applications are for federal programs, Social Security numbers are required for processing. All employees who handle sensitive information must sign forms stating that the information they review is confidential, she said.

Department of Human Resources officials said they do not believe the breach will lead to changes in the way personal information is collected and stored. This was also the first incident of its kind in years, Lineman said.

But "simply because they are unaware of other breaches doesn't mean a whole lot in this context," Titus said. "They didn't know of this breach either" until he alerted them.

Employees must be empowered to take action when someone alerts them to a potential breach, but they also need to minimize access to data like Social Security numbers so that information is not reproduced unless absolutely necessary, he said.

"While it is true you cannot protect against every risk … you need to create an environment where security is everybody's business," Titus said.

Protection tips

People can check if their Social Security number has been compromised by going to http://www.nationalidwatch.org.

Victims should call 1-800-332-6347, ext. 3 then 0 to sign up for free credit monitoring from the DHR.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.