Huffpost San Francisco

Security Breach: Lost Data Cartridges May Have Exposed Personal Records From California's Child Support System

Posted: Updated:

LOS ANGELES — Four computer storage devices containing personal information for about 800,000 adults and children in California's child support system – including their names and Social Security numbers – were lost by IBM and Iron Mountain Inc., officials announced Thursday.

There's a chance the information from the California Department of Child Support Services won't be accessible because a specialized machine is needed to run the cartridges the data is stored on, and special hardware and software are needed to read it, said Christine Lally, a spokeswoman for the state's Office of Technology Services.

"(A data cartridge) is definitely not something that you or I could just pop into our laptop," Lally said.

The cartridges also contained addresses, driver's license numbers, names of health insurance providers and employers for custodial and non-custodial parents, and their children.

The department has notified all those possibly affected by the March 12 data loss via mail, and has notified the three major credit reporting agencies, the state attorney general's office and the state Office of Privacy Protection.

The agency's interim director, Kathleen Hrepich, says the incident won't affect the processing of child support cases.

The backup storage cartridges had been sent to IBM's facility in Boulder, Colo., as part of a disaster simulation, so the technology company could test whether it could run the state's child support system remotely.

The cartridges are believed to have been lost in transit, somewhere between Boulder and Sacramento, Lally said.

The state contracts with Iron Mountain to provide secure transportation services. But Iron Mountain doesn't fly, so the data storage company had FedEx transport the cartridges.

"We believe that the container was not properly secured, thus allowing the container to open and then spill out," Lally said.

IBM did not immediately respond to a call seeking comment.

Thursday's announcement isn't the first time massive amounts of personal information entrusted to IBM has been lost.

Last March, IBM informed insurer Health Net that the company could not find drives containing information for 1.9 million enrollees. The lost information included financial information, Social Security numbers and health histories.

The state's contract with IBM for the disaster services contract began August 1, 2008, and expires July 31, 2012.

"Obviously, the California state agency picked IBM because it trusted its expertise in securing highly sensitive personal data," said Beth Givens, director of the Privacy Rights Clearinghouse.

"Unfortunately, we can't assume that our sensitive personal information is safeguarded to the extent that it should be," Givens said.

The San Diego-based organization tracks data breaches and estimates at least 550 million personal records have been breached since it began tracking them in 2005.

The child support department is recommending that those affected by the breach place a fraud alert on their credit cards, get copies of their credit reports and take other appropriate steps to protect their identities.

___

Online: www.childsup.ca.gov