The D.C. personnel office kept the personal information of more than 30,000 past and present District government workers, including their Social Security and bank account numbers, in unlocked filing cabinets, cubicles and an easily accessible copy room.
In an alert issued late last month, the city’s inspector general reported that the Benefits and Retirement Administration, an arm of the Department of Human Resources that handles health care and insurance programs for roughly 32,000 people, “is not properly safeguarding sensitive information submitted by and/or pertaining to D.C. government employees and retirees.”
“Consequently, unsecured, sensitive information is vulnerable to unauthorized access, which could lead to theft and misuse,” the alert concluded.
It is unclear how long the documents were left unprotected, though one IG official said it “appears to have been a while.” There was no evidence that any data was compromised.
The department has taken steps to secure the documents, but it wasn’t known Monday whether the office was fully locked down.
The warning comes as the District, like all government entities and private businesses, faces the growing threat of identity theft through computer breaches and other means. The city’s personnel manual requires strict controls of records to prevent unauthorized access — storage in locked metal filing cabinets or in a secured room, for example.
The IG noted after an on-site visit that the benefits administration was keeping documents in unlocked filing cabinets, in unlocked desks and in open cubicles. The paperwork included names, addresses, Social Security numbers, and bank and investment account numbers, among other information.
Auditors also found that a person entering the administration’s suite could easily access a copy room adjacent to the main waiting area, where sensitive information is kept. An IG team member walked by two “busy” employees manning the front desk, the alert stated, and “was able to enter the copy room seemingly unnoticed.”
In her written response to the report, Brender Gregory, DCHR director, said her agency “recognizes that the proper custody, use, and preservation of official information … cannot be overemphasized.” All employees, she wrote, must “strictly comply with applicable provisions of law regarding confidentiality and the safeguarding of sensitive information.”
The benefits administration suite has now been closed to incoming customers, Gregory wrote. All staff have been provided with locking cabinets. And the copier area is scheduled for card reader access installation.
Mayor Adrian Fenty’s office did not respond to requests for further comment.
Past cases
June 2006: Laptop owned by financial services firm was stolen, jeopardizing the personal information of 13,000 city employees.
May 2009: Personal information of 1,250 applicants for tuition assistance attached to an e-mail sent to other applicants.
