FSSA Warns of Possible Security BreachPosted: Updated:
The Indiana Family and Social Services Administration has notified nearly 190,000 clients of a potential personal information breach. The agency says a contractor's programming error may have caused the accidental disclosures.
July 1, 2013
Indianapolis, Ind. -- The Indiana Family and Social Services Administration (FSSA) is in the process of notifying some FSSA clients that some of their personal information may have been accidently disclosed to other clients. The accidental disclosures may have occurred when RCR Technology Corporation (RCR), a contractor for FSSA, made a computer programming error to a document management system the company supports on behalf of FSSA. This error caused an undetermined number of documents being sent to clients to be duplicated and also inserted with documents sent to other clients. This means some of the clients may have received documents belonging to other clients along with their own documents.
The programming error was made on April 6, 2013, and affected correspondence sent between April 6, 2013, and May 21, 2013. The error was discovered on May 10, 2013. RCR determined the root cause of the programming error and it was corrected on May 21, 2013.
In compliance with federal and state privacy law, FSSA has sent written notices to the 187,533 potentially impacted FSSA clients informing them that some of their personal information may have been disclosed.
The type of information that may have been disclosed includes name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, some financial information such as monthly income and expenses, bank balances and other assets, and certain medical information such as provider name, whether the client receives disability benefits and medical status or condition, and certain information about the client’s household members like name, gender and date of birth. Of the 187,533 clients, 3,926 may have had their social security numbers disclosed. This is being noted in the specific letters being sent to this smaller group.
Due to the way the correspondence is printed and mailed, it was not possible to determine specifically which clients had personal information disclosed. Therefore, all of the clients potentially impacted are being notified. It is important to note that just because a client of FSSA received correspondence between April 6, 2013, and May 21, 2013, this does not mean their personal information was, in fact, disclosed in error to someone else; it just means the potential exists.
FSSA clients who receive notifications are being advised of steps they can take to protect themselves against identity theft. This includes placing a fraud alert on their credit report by calling the toll-free number of any of the three credit bureaus. A fraud alert places a note on a credit report for 90 days requiring creditors to verify identity before granting credit. There is no charge for a 90 day alert.
For those clients who may have had their social security information disclosed, additional advice is being given to them that they could place a security freeze on their credit reports. This can block an identity thief from opening a new account or obtaining credit in the client’s name. Any Indiana resident can request a security freeze at no charge by contacting all three credit agencies below either online or by sending a letter:
Equifax Security Freeze; 1-888-766-0008
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze; 1-888-397-3742
P.O. Box 9554
Allen, TX 75013
Trans Union Security Freeze; 1-800-680-7289
P.O. Box 6790
Fullerton, CA 92834-6790
For more information, clients should visit the www.IndianaConsumer.com website and click on “Identity Theft” and then “Credit Freeze.” They are also encouraged to call the FSSA call center at 1-800-403-0864 if they have questions or want more information.
Any client of FSSA who has received another client's information in error should return this material immediately to their local Division of Family Resources Office. If this is not feasible, the material should be securely shredded.
RCR is in the process of ensuring that none of the affected clients’ electronic case files contain information about other clients as a result of this error. The company also is taking steps to improve their computer programming and testing processes to prevent similar errors from occurring in the future.
Statement from Debra Minott, secretary of the FSSA:
"Clients entrust their information to us and we take the security of that information very seriously. We are ultimately responsible for the safekeeping of that information and regret that in this rare instance some information may have been accidently shared inappropriately. We do not believe this was a widespread disclosure of information and have only been made aware of a handful of instances where information was received by the wrong person. Still, we are taking the most complete and prudent approach to notifying all potentially impacted clients."
Statement from Robert C. Reed, president of RCR Technology Corporation:
"We at RCR Technology Corporation apologize that our actions may have caused some FSSA client information to be disclosed in error. We will do everything possible to prevent such an incident from happening again in the future. We value our relationship with the State of Indiana and our service to our fellow Hoosiers who are clients of the Indiana Family and Social Services Administration."
Source: Indiana Family and Social Services Administration