Human Error Puts Identities in Virginia and Kentucky at Risk

• By Dian Schaffhauser
• 10/27/09

Simple human blunders were at the heart of two data leaks--one in Virginia and the other Kentucky--in October.

The Virginia Department of Education sent out more than 77,000 letters in October to people whose personal data were stored on a flash drive that was lost in transit. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009. That included information on 77,577 former adult education students whose addresses were part of the data, as well as 25,693 former adult education students whose addresses were unknown to the department. The data consisted of names, birth dates, and, in many cases, Social Security numbers.

As explained in a letter from Superintendent of Public Instruction Patricia Wright to those whose information is at risk, the department was transferring the data via flash drive as part of a contract with Virginia Tech for research related to federal reporting requirements. Although the contract "includes a restricted-use data agreement and an affidavit of non-disclosure," Wright said, "no policy or system is immune from human error. Information stored on a flash drive was lost in Richmond in September 2009 after being given to a representative of Virginia Tech's Center for Assessment, Evaluation and Educational Programming for the purpose of conducting federally mandated research.

"We have no evidence that any of the information has been misused or that it is in the possession of any person as a result of this incident," the letter stated.

It suggested standard actions to mitigate the potential for identity theft:

• To monitor account statements and credit reports for unusual activity;
• To request a free credit report annually from each of the three major credit agencies;
• To call the local police or sheriff's office and file a report of identity theft if suspicious activity is found on a credit report; and
• To place a "fraud alert" on a credit file by contacting one of three major credit reporting agencies so that creditors will contact the individual before opening or changing an account.

Human error was also the cause of a smaller information breach in Shepherdsville, KY when a Bullitt County Public Schools employee accidentally sent an e-mail message to 1,829 school district staff members that included the names and Social Security numbers of 676 district employees. The employees were identified as not having completed the district's 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete the process.

Twelve minutes after sending the e-mail, the employee attempted to recall it. The recall process worked on 737 of the messages, according to the district. The IT organization removed 1,089 of the remaining messages from recipients' mail boxes. That left three messages remaining. Those recipients were contacted and instructed to delete the mail and to send verification of having done so. "Thus, all 1,829 electronic mail messages have been accounted for," the district stated in an explanatory document on its Web site.

However, the district said it will be sending individual notices to each individual to alert them about the potential for their personal information to be accessed. "The Bullitt County School System and Public Employee Health Insurance Program believe that they have taken immediate steps to mitigate any real or perceived damages to the affected Bullitt County School System employees," a letter to employees said. However, the district added, it "takes these types of situations very seriously and will do all that it can to ameliorate any negative ramifications from this occurrence, as well as prevent similar occurrences from happening in the future."