toledoblade.com --

COLUMBUS — For the second time in a month state officials have announced that personal information of Ohioans has been compromised by the theft of computerized data from a state employee.

Officials with the Ohio Bureau of Workers’ Compensation revealed this morning that a laptop computer stolen from the home of an employee nearly a month ago contained the names, Social Security numbers, and potentially the medical information of 439 injured workers.

Two weeks ago Gov. Ted Strickland announced that a data storage device was stolen from the car of a state intern putting at risk tens of thousands of Ohioans personal information.

The BWC computer had been reported stolen more than two weeks before the bureau began to investigate what information it might have contained. That review was triggered only by the revelation that the state had a much bigger problem with the theft on June 10 of a backup data storage device containing personal information of what was believed then to be tens of thousands of Ohio employees.

“I was concerned that there didn’t appear to be internal sensitivity around the urgency of what was on that computer,’’ said BWC Director Marsha Ryan, who said she wasn’t told of the May 30 theft until June 15.

“It hadn’t risen to the level of examining the implications of the loss of that asset, the computer,’’ she said. “I immediately began to ask questions about the policies, procedures, and what we did in terms of following through when as asset is stolen.’’

The bureau had no policy on how to respond to the theft of a laptop computer, but is developing one now.

Nine Twitty, a 27-year state employee, was working on an audit of 24 self-insured employers and was spot-checking information on past worker accounts as part of that audit. The information was as old as one to two years, said BWC spokesman Keary McCarthy

He said the bureau is working to find the most recent addresses for these workers and is in the process of contacting them. They will be offered the same identity theft monitoring services that the state has already offered to state employees, their dependents, and some 225,000 Ohio taxpayers whose personal information was more recently discovered to be on the state data device stolen from the intern.

He said the laptop was the only item of significance taken in the May 30 burglary of the auditor’s home. The theft was reported to Columbus police and to the employee’s supervisor. Ms. Ryan was told when Gov. Ted Strickland held a press conference more than two weeks later to announce the much larger theft of a backup data storage device from the car of an intern.

The sensitive information ultimately found to be on that backup device includes personal data on more than 64,000 state employees and their nearly 76,000 dependants if enrolled in the state’s prescription benefit program. The list was expanded to include 225,000 Ohio taxpayers who hadn’t cashed state or school income tax refund checks since 2005, 2,488 people who hadn’t cashed unclaimed property checks, 602 Ohio Lottery winners who hadn’t cashed checks, and up to 1,000 others whose electronic fund transfers had failed.

Mr. Strickland was told of the BWC laptop problem four days after his June 15 press conference, Mr. McCarthy said.

“That’s clearly not up to par, which the governor made expressly clear after learning that the data device (stolen June 10) contained sensitive information,’’ said Strickland spokesman Keith Dailey. “We need standardized information, technology, and data security protocol. The administration’s goal is to implement an interagency policy that will aim to prevent the possibility of data theft from occurring in the future.’’

State employees and an outside computer expert continue to review the twin of the backup data storage device stolen from an intern’s car on June 10. The intern had been working in an office testing part of Ohio Administrative Knowledge System, a new $158 million system consolidating the state’s numerous payroll, purchasing, and other accounting functions.

The intern was asked to take the backup home as part of a routine security measure designed to keep the two backups in separate locations.
The information on the stolen BWC laptop was password protected, but not encrypted. Some of the information contained on the laptop was deemed public information until the passage of recent legislation, Mr. McCarthy noted. Social Security numbers, however, were never considered to be public.

Phil Fulton, a Columbus attorney who specializes in workers’ compensation cases, said injured workers have enough to deal with without having to worry about their personal information being compromised.

“I occasionally have a client who feels that once he has submitted a claim, his life is open to the world,’’ he said. “It’s not an uncommon concern of injured workers. This could have the effect of people saying, ‘I can’t file a claim because I’m risking all of my private information being obtained by someone’.’’

Ms. Ryan said there is no evidence that whoever stole the device was interested in the data it contained rather as opposed to the laptop itself.

“As a public institution, we must be more diligent in protecting the personal information contained on both internal and external digital devices,’’ said Ms. Ryan.

Contact Jim Provance at: jprovance@theblade.com, or 614-221-0496.

Permanent Link