Posted on July 2nd, 2010 No comments
When a mound of Middletown city documents containing people’s private information was found in a public dumpster this spring, it wasn’t the first — or largest — such security breach by a local government.
An investigation by this newspaper has found that Butler County’s Department of Job and Family Services learned in 2008 that confidential records from that agency were being “periodically” improperly disposed of in a public bin.
An internal analysis by the agency found that 10,600 people could have been affected.
This is the number of people who used the JFS office at 4122 Tonya Trail in Fairfield Twp., where the documents originated. They included case notes and verification forms dealing with the Ohio Works First, food stamps, Medicaid and child care programs.
Though the records were supposed to be shredded using a document disposal company, county officials found that office had been simply throwing the records in a recycling bin.
That’s where they were found by a member of the public on July 18, 2008.
The county took action to make sure the records were disposed of properly, and considered notifying the people who may have had information compromised.
Officials drafted a letter suggesting people could use a free Internet service to guard against identity theft.
But they never sent the notice out.
Instead, they decided to “wait and see if there is any response from clients,” according to internal memos.
Two years later, those clients still have no knowledge their information could have been compromised.
“They should have told us from the very beginning,” said Christina Cruz, who used the JFS office during that time.
County held back on response to a records breach
When Jerome Kearns first saw the pile of confidential records from his office in a Dumpster by Butler Tech, he thought they were stolen.
It was July 18, 2008. County records lay out in detail what happened next: what county officials did — and didn’t — do.
There were piles of papers — files from Butler County Job and Family Services, where Kearns is assistant director, and from LifeSpan, the county engineer’s office, Children Services, and Butler County Child Support Enforcement Agency.
Some of the records contained confidential information, such as case notes and eligibility verifications for food stamps, Ohio Works First, subsidized child care and Medicaid programs.
Kearns estimates there were about 10 60-gallon trash bags of records. He called co-worker Adam Jones because Jones had a pickup truck.
“They weren’t going to fit in my Elantra,” Kearns said. “There was a significant number of records there.”
The records had been found by a member of the public.
“Some member of the community was throwing their stuff in there, and picked one up and thought they were important,” Kearns said.
Kearns took the records back to where they presumably came from, the JFS office at 4122 Tonya Trail, off Liberty Fairfield Road in Fairfield Twp.
Documents pitched ‘periodically’
It didn’t take long to solve the mystery.
The next day, Kearns asked Kim Gay, manager of that office, where the bins were that she used for confidential information. In other county offices, special bins were periodically picked up by the company Royal Document Destruction for shredding.
The Fairfield Twp. office, which had been open since January 2007, had no such bins. Staffers there had been throwing records in the recycling bins. Believing that there was no confidential information involved, a worker for Butler County Environmental Services, which handles recycling for county offices, “had dumped these bins at community sites periodically over the last six months,” Kearns wrote later.
County officials went into action.
They brought new, secure bins to the Tonya Trail office. They pulled records and found 10,600 people who had used that office in the prior 12 months. They researched a company that provides protection for people at risk of identify theft, and what it would cost to cover all those people.
They put together a list of addresses, and drafted a letter notifying people who may have been affected.
“Although we consider the risk to you to be relatively low, the fact is that we failed to adequately protect your confidentiality, and we want to rectify that now,” the letter said.
Then, they did nothing. The letter never went out.
“I asked Tim (Williams, then county administrator) for direction regarding our records that were found in a (D)umpster,” says a Aug. 19, 2008, memo from Kearns. “Tim indicated that (county) commissioners would like to wait and see if there is any response from clients.”
“Tim does not want us to send a letter out notifying clients that their records might have been compromised,” the memo says.
Two commissioners said they were satisfied there was no proof that anyone had their information misused, and that the risk of that happening was low.
“There was nothing to lead us to believe there was more (records dumped in public bins),” said Commissioner Donald Dixon. “We were advised the risk was not sufficient to warrant any other action at that time.”
Dixon said his concern was that making the situation public might make someone more likely to look for the records.
Commission President Gregory Jolivette said notifying the public was also an expensive prospect.
“From my recollection, it was going to cost a lot of money to go another route,” he said.
Commissioner Charles Furmon declined comment for this story.
‘No affirmative obligation’
County officials consulted with the prosecutor’s office and the Ohio Department of Job and Family Services. They came to the conclusion that a state law requiring agencies to tell the public about security breaches didn’t apply to them.
“Final discussion with (Ohio JFS attorney Ramesh Thambuswamy) on Aug. 6, 2008, concluded that there was no requirement to contact client(s) about a potential breach,” reads a memo from Roger Clark, Butler County JFS legal supervisor. “Ramesh also restated that he does not think (the law above) should be used as guidelines for our county.”
The attorney recommended they take corrective action and document everything in writing, which they did.
“There was no affirmative obligation … ( for JFS) to contact anybody,” said Bruce Jewett, interim county administrator.
“We thought the likelihood of any of that information being used was extremely low, and I’d say that was a position that developed over time,” Jewett said. “That’s not to say I didn’t treat the matter with the appropriate level of concern.”
Jewett is and was director of Butler County JFS, and is currently president of the county’s records commission.
“Ultimately, I was comfortable with the decision that was made,” he said.
Kearns said it was unlikely any of the records they found were compromised because they didn’t sit in the Dumpster very long.
But no one knows how often or how many times such records were tossed in a public bin since the office opened in 2007. That makes it unclear exactly what kinds of records were improperly disposed of over that year.
“We have no proof there was confidential information put in those Dumpsters,” Kearns said. “I have no way of knowing that number was 10,600.”
Kearns said no one was disciplined because the person who opened the Tonya Trail office, and so was deemed responsible for not providing the proper bins, left the county. That office closed in April of this year.
Part of the reason the risk of identity theft was deemed low was because those affected were low-income, Kearns and Jewett said.
“Our clients typically don’t have assets,” Kearns said.
‘That’s messed up’
“That’s messed up,” said Christina Cruz, 30, one of the people who used that office during that time period. “They should have told us from the very beginning,”
Cruz, who lives in Hamilton, collected Ohio Works First money when she was pregnant with her daughter, now 2. She said all someone would need is her Social Security number to steal her benefits.
Constance Iredale said when her daughter Christa, now 26, applied for Medicaid, food stamps and child care benefits at the Tonya Trail office during that time, she provided all kinds of confidential information.
“It’s household income, everybody in the household … my Social Security number, my cell number, my work number, copies of check stubs, all that information is on there,” she said.
“We were never informed that any of this happened,” said Iredale, a Liberty Twp. resident. “Hopeful, thank God, knock on wood, none of my stuff has been compromised,” she said.
View original source here