About 1.4 Million Computer Records for In-Home Supportive Service Breached

The Health and Human Services Agency on Tuesday announced that an Aug. 1 "hacker attack" on a University of California-Berkeley computer might have exposed the personal records of about 600,000 care recipients and providers in the In Home Supportive Services program, which provides a variety of services for seniors and people with disabilities, Knight Ridder/Contra Costa Times reports (Lee/LaMar, Knight Ridder/Contra Costa Times, 10/21). The 1.4 million exposed records -- including duplicates -- listed names, addresses, telephone numbers, birthdates and social security numbers of IHSS participants dating back to 2001 (Benson, Sacramento Bee, 10/20). According to Joanne McNabb, chief of the Office of Privacy Protection, the incident appears to be the largest computer security breach since a 2003 law began requiring such break-ins be made public (Maitre, Oakland Tribune, 10/21).

The computer was being used by a visiting scholar who was researching the pay of the providers and quality of care under IHSS.

According to Knight Ridder/Times, the breach "highlighted weaknesses in safeguards against improper handling of sensitive personal information," but state officials say there is no evidence that the information was being used to commit identity theft (Knight Ridder/Contra Costa Times, 10/21). State officials recommended IHSS participants check their credit reports and consider placing a fraud alert on their accounts (Burress, San Francisco Chronicle, 10/21).

Security Flaws?

HHSA Assistant Secretary Carlos Ramos said the hacker was able to access the records through a vulnerability in the software (Oakland Tribune, 10/21). Ramos also said the university was not following agreed upon security policies -- which call for names and Social Security numbers to be replaced by "unique identifiers," such as code numbers -- and also did not follow other safety requirements for storing information, such as encrypting the data.

UC-Berkeley officials said in a statement that the researcher had failed to take proper safety precautions when connecting her outside computer to the campus network.

Ramos said, "We didn't (necessarily have) good compliance with those requirements" (Knight Ridder/Contra Costa Times, 10/21).

Investigation

The case is under investigation by FBI, the California Highway Patrol and the Department of Social Services. According to FBI spokesperson Tamara Nieman, to date no charges have been filed or arrests made related to the case (San Francisco Chronicle, 10/21).

Ramos was unable to comment on the status of the investigation. "At this point, our information is that it came from an outside source," he said (Oakland Tribune, 10/21).

Delay in Disclosure

According to Knight Ridder/Times, the announcement "raised questions about why the lapse wasn't disclosed immediately." A 2003 state law requires a government agency, business or other institution to notify the owner of exposed data "immediately following" the discovery of a break-in. The law allows for a delay in notification if the information could damage a criminal investigation (Knight Ridder/Contra Costa Times, 10/21).

A university screening program detected the breach in late August, but university officials did not report the incident to the state until Sept. 21, following an internal investigation led by FBI.

Ramos said he was uncertain why UC-Berkeley did not alert state officials earlier (Sacramento Bee, 10/20).

The university said in a statement that it confirmed the attack last month and informed IHSS "as soon as it was determined that doing so would not impede the FBI investigation" (Knight Ridder/Contra Costa Times, 10/21).

Ramos said that the state, once notified, brought in CHP and spent several weeks determining whether the IHSS data was vulnerable (Sacramento Bee, 10/20).

Reaction

Ramos said IHSS announced the breach "to give people a heads up to take precautionary measures" (Knight Ridder/Contra Costa Times, 10/21). He added, "There's no indication that anybody's data has been compromised. It's a precautionary measure just to make sure folks are protected" (Sacramento Bee, 10/20).

UC-Berkeley spokesperson George Strait confirmed that there is "absolutely no evidence that any of this data was copied or downloaded or that anybody used it," but he noted that it was the largest such breach in campus history (San Francisco Chronicle, 10/21).

Ramos said, "For us, the trigger point is that at least the possibility exists that the data was accessed" (Oakland Tribune, 10/21).

This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.