The California Office of Information Security & Privacy Protection’s 42-page guide (pdf) for state agencies on how to avoid security breaches, published in 2008, acknowledged “there is no easy solution to implementing an effective information security program.”
The nonprofit, nonpartisan journalism organization looked at 10 years of information collected by the state on government security breakdowns and found thousands of incidents where the privacy of patients and consumers was compromised by avoidable lapses in security.
“In 2012 alone, 16 state agencies and affiliated nonprofits reported major data breaches,” according to the center’s report, released last week. Although state security guidelines call for the encryption of sensitive data by agencies, the center found that one-fourth of the 283 computers and phones containing confidential information that were reported lost or stolen during the last decade lacked that fundamental protection.
Security breaches take many forms. Sometimes it is the result of hacking by outsiders. The center tabulated 154 computer attacks in form of viruses, denial-of-service assaults and other hacking attempts, of which 49 were successful.
Other times, breaches are a result of theft or employee screw-ups. The center found 1,646 incidents where information was exposed or ended up in the wrong hands because of employee error. That included lost equipment, documents mailed to wrong addresses or information improperly posted on the internet.
Some of the mistakes that led to compromised personal information were epic. A year ago, a package of information including Social Security numbers of 748,902 elderly home care patients and their caregivers was stolen from a Department of Public Health service provider while being transported to a state insurance office. A month earlier, 4,400 unencrypted confidential files on AIDS patients were stolen. Last November, 14,000 Social Security numbers of in-home care workers were accidentally posted online by the Department of Health Care Services.
Despite the scary information about security breaches available in the state’s own files, a true picture of how much confidential data has been exposed is hard to determine. As the center pointed out, not every breach is reported in a timely fashion nor are they all investigated.