[Med-privacy] CA story

[pmarshall]

--------------090408040805000206010506
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit




Update: California lawmakers rip handling of data theft at university
Instead of a broad media advisory, they want potential victims to be 
notified directly


News Story by Todd R. Weiss <mailto:todd_weiss@computerworld.com>

 

   
  OCTOBER 29, 2004 (COMPUTERWORLD) <HTTP://WWW.COMPUTERWORLD.COM> - Four 
members of the California state assembly are pressuring the state's 
Department of Social Services (DSS) to immediately improve its attempts 
to notify 1.4 million state residents that their personal information 
may have been stolen by hackers in August.

In a letter Wednesday to Kim Belshe, secretary of the state's Health and 
Human Services Agency, which oversees the DSS, the lawmakers were 
critical of the department's decision to "only issue a media advisory 
about the 'unauthorized access.' " The media advisory "is not the most 
effective way to communicate with the workers and affected elderly and 
disabled clients," the letter stated.

Instead, the legislators wrote, "we believe it is imperative and well 
worth the cost to individually inform every affected party so each 
client and worker can personally check and see if they have been a 
victim of identify theft."

Under a California privacy law that went into effect last year, 
businesses and public agencies are required to inform individuals when 
their names -- in combination with either their Social Security numbers, 
driver's license numbers or credit/debit card numbers with personal 
identification numbers -- have been accessed by an unauthorized person 
(see story) 
<http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,82600,00.html>. 


Last week, the state announced the apparent security breach and warned 
affected state residents of the incident through a media advisory (see 
story) 
<http://computerworld.com/securitytopics/security/privacy/story/0,10801,96900,00.html>. 
The personal data was being used with the department's consent by a 
researcher working at the University of California, Berkeley, in August 
when it was apparently infiltrated by hackers. The DSS is working with 
the FBI to investigate the case.

The incident involved a computer that contained personal information on 
about 1.4 million recipients and providers participating in DSS's 
In-Home Supportive Services (IHSS) program, which provides home care 
services to low-income elderly and disabled Californians. Names, 
addresses, telephone and Social Security numbers, and the birth dates of 
IHSS participants may have been stolen, according to the DSS.

"We respectfully request that you require the Department of Social 
Services to individually notify In-Home Supportive Services recipients 
and providers that the privacy of their personal information may have 
been compromised due to the breach of security suffered at UC-Berkeley," 
the letter stated.

Hans Hemann, chief of staff for assembly member Loni Hancock, said the 
DSS response of sending out a media advisory was "underwhelming."

"We believe that the efforts of the department have not reached a 
sufficient number of the IHSS clients so far," Hemann said. The media 
advisory was sent to about 500 newspapers, television and radio 
stations, he said, and the DSS set up a 30-line toll-free call center to 
answer questions about the incident. "They received less than 100 phone 
calls" out of 1.4 million potential victims, he said.

It is not yet known if any personal information from the incident has 
been compromised, he said. "I'm not sure the clients were aware that 
their information was potentially used, therefore we haven't had any 
reports," Hemann said.

Carlos Ramos, the assistant secretary of the state's Health and Human 
Services Agency, said today that his agency has not ruled out mailing 
individual notices, but said other due diligence is required before 
doing so. "That is an option from the very beginning that we have 
contemplated ... and continue to contemplate," Ramos said.

Several other notification methods are under way, including sending out 
notices with the timesheets that are mailed out to workers who provide 
services to the agency's clients, he said.

So far, it is not even certain if any data was compromised by the 
alleged hackers, he said. While the incident occurred Aug. 1, it wasn't 
detected until the end of August by university IT security workers, and 
was reported to the state agency in late September, he said. That was 
followed by a review period "to determine what kind of breach" occurred 
and how widespread it was.

"You have to do some level of review before you just send out 1.4 
million letters," Ramos said.

Janet Gilmore, a spokeswoman for the University of California, Berkeley, 
said only that the incident is under investigation and had no further 
comment.

In a statement 
<http://www.berkeley.edu/news/media/releases/2004/10/20_breach.shtml> 
posted last week on its Web site, the university said "even one breach 
of its network is unacceptable. The campus works hard to avoid such 
incidents and regrets that this one occurred."

"The investigation has not yet determined whether any personal data was 
acquired," the statement said. "To date, the state Department of Social 
Services has not received any information indicating that identity theft 
or any misuse of the data has occurred."

The database was being used by a visiting scholar at the school's 
Institute of Industrial Relations, the university said. "As part of her 
research project, she was trying to determine how wage and benefit 
increases can improve the recruitment and retention of quality home-care 
workers. Campus networking officials say they are investigating how and 
why the breach happened."

The letter from the legislators also took the department to task for the 
length of time it took to disclose the potential information theft.

"It has been over two and a half months since the security breach 
occurred and one and a half months since the University of California 
detected the problem," the letter stated. "We suggest that the agency 
develop a stronger policy that both prevents the unauthorized access to 
personal information and requires departments to respond quickly if 
security breaches occur."

Similar security incidents have occurred in California in the past. Last 
month, a hard drive that contained names, addresses and Social Security 
numbers for some 23,000 students, faculty members and employees at seven 
California state university campuses, was apparently thrown away 
accidentally after the drive was replaced by a technician (see story) 
<http://computerworld.com/securitytopics/security/privacy/story/0,10801,95690,00.html>. 



--------------090408040805000206010506--