Indiana FSSA notifying 187, 533 clients of potential information breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=13017

> From their press release today:

The Indiana Family and Social Services Administration (FSSA) is in the
process of notifying some FSSA clients that some of their personal
information may have been accidently disclosed to other clients. The
accidental disclosures may have occurred whenRCR Technology
Corporation (RCR), a contractor for FSSA, made a computer programming
error to a document management system the company supports on behalf
of FSSA. This error caused an undetermined number of documents being
sent to clients to be duplicated and also inserted with documents sent
to other clients. This means some of the clients may have received
documents belonging to other clients along with their own documents.

The programming error was made on April 6, 2013, and affected
correspondence sent between April 6, 2013, and May 21, 2013. The error
was discovered on May 10, 2013. RCR determined the root cause of the
programming error and it was corrected on May 21, 2013.

In compliance with federal and state privacy law, FSSA has sent
written notices to the 187,533 potentially impacted FSSA clients
informing them that some of their personal information may have been
disclosed.

The type of information that may have been disclosed includes name,
address, case number, date of birth, gender, race, telephone number,
email address, types of benefits received, monthly benefit amount,
employer information, some financial information such as monthly
income and expenses, bank balances and other assets, and certain
medical information such as provider name, whether the client receives
disability benefits and medical status or condition, and certain
information about the client’s household members like name, gender and
date of birth. Of the 187,533 clients, 3,926 may have had their social
security numbers disclosed. This is being noted in the specific
letters being sent to this smaller group.

Due to the way the correspondence is printed and mailed, it was not
possible to determine specifically which clients had personal
information disclosed. Therefore, all of the clients potentially
impacted are being notified. It is important to note that just because
a client of FSSA received correspondence between April 6, 2013, and
May 21, 2013, this does not mean their personal information was, in
fact, disclosed in error to someone else; it just means the potential
exists.

FSSA clients who receive notifications are being advised of steps they
can take to protect themselves against identity theft. This includes
placing a fraud alert on their credit report by calling the toll-free
number of any of the three credit bureaus. A fraud alert places a note
on a credit report for 90 days requiring creditors to verify identity
before granting credit. There is no charge for a 90 day alert.

For those clients who may have had their social security information
disclosed, additional advice is being given to them that they could
place a security freeze on their credit reports. This can block an
identity thief from opening a new account or obtaining credit in the
client’s name. Any Indiana resident can request a security freeze at
no charge by contacting all three credit agencies below either online
or by sending a letter:

Equifax Security Freeze; 1-888-766-0008
P.O. Box 105788
Atlanta, GA 30348
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Experian Security Freeze; 1-888-397-3742
P.O. Box 9554
Allen, TX 75013
https://www.experian.com/freeze/center.html

Trans Union Security Freeze; 1-800-680-7289
P.O. Box 6790
Fullerton, CA 92834-6790
https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp

For more information, clients should visit the www.IndianaConsumer.com
website and click on “Identity Theft” and then “Credit Freeze.” They
are also encouraged to call the FSSA call center at 1-800-403-0864 if
they have questions or want more information.

Any client of FSSA who has received another client’s information in
error should return this material immediately to their local Division
of Family Resources Office. If this is not feasible, the material
should be securely shredded.

RCR is in the process of ensuring that none of the affected clients’
electronic case files contain information about other clients as a
result of this error. The company also is taking steps to improve
their computer programming and testing processes to prevent similar
errors from occurring in the future.

Statement from Debra Minott, secretary of the FSSA:
“Clients entrust their information to us and we take the security of
that information very seriously. We are ultimately responsible for the
safekeeping of that information and regret that in this rare instance
some information may have been accidently shared inappropriately. We
do not believe this was a widespread disclosure of information and
have only been made aware of a handful of instances where information
was received by the wrong person. Still, we are taking the most
complete and prudent approach to notifying all potentially impacted
clients.”

Statement from Robert C. Reed, president of RCR Technology Corporation:
“We at RCR Technology Corporation apologize that our actions may have
caused some FSSA client information to be disclosed in error. We will
do everything possible to prevent such an incident from happening
again in the future. We value our relationship with the State of
Indiana and our service to our fellow Hoosiers who are clients of the
Indiana Family and Social Services Administration.”

Contact Information:

Name: Jim Gavin
Phone: 317.234-0197
Email: Jim.Gavin () fssa in gov

Name: Marni Lemons
Phone: 317.234.5287
Email: Marni.Lemons () fssa IN gov
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.