America's Privacy Watchdog
1,818,342 Identity Exposure Reports
EXPOSING IDENTITY: (Maryland Department of Human Resources)
Maryland Department of Human Resources
311 West Saratoga Street

Baltimore, MD 21201
(800) 332-6347 x 3,
http://www.dhr.maryland.gov/

Sensitivity: Extreme
Duration: More Than One Month
Distribution: Exposed Online
Detailed Exposure Statistics:
Loading statistics...


Resolution

File Deleted, Caches Cleared

Related Links

Do Another Search
Please fix the following problems:

Press Release

Maryland State Govt Employee Takes, Posts 2,890 SSNs Online
FOR IMMEDIATE RELEASE: July, 19 2010 UPDATED: July, 24 2010

BALTIMORE, Maryland. An employee of the Maryland Department of Human Resources (DHR) posted 2,890 names, social security numbers, home addresses, phone numbers and other personal information of Baltimore County residents on his company's website for more than two months. Between April 27, 2010 and July 14, 2010 the sensitive personal information was potentially available to anyone in the world with an internet connection. The file was also accessible through the Google search engine.

The Liberty Coalition first notified DHR of the breach on July 9, 2010. By July 14, 2010 the file had been deleted, and Google cleared its search engine caches by July 17, 2010. Once notified, DHR moved quickly to have the file removed from the third-party website and notify victims. In Maryland, State agencies are not legally required to notify victims when a breach occurs. Notwithstanding, DHR mailed 2,899 letters to victims and their personal representatives notifying them of the breach.

According to Fox 45, at least one breach victim has reported unauthorized financial activity, though it is unclear whether the unauthorized activity is related to this breach. The agency has offered to pay for credit monitoring services for victims of the breach if they call 1-800-332-6347 x 3 then 0 before October 29, 2010.

The DHR employee responsible for the breach has been placed on administrative leave, and the matter has been referred to the Maryland State Attorney General's office for investigation.

The agency mailed a Letter to Affected Clients, and issued a statement on July 19, 2010 indicating that,

DHR neither authorized the release and posting of this information nor did we know this information had been posted until we were notified by the Liberty Coalition...Within four hours [of notification], DHR had confirmed that fact and had identified the owner of the website as a DHR employee – who was not authorized to post such information on his external website. DHR then immediately launched an investigation that involved our personnel department, our IT department, the Attorney General's office and our internal Inspector General....

The employee has been placed on administrative leave pending the outcome of the investigation. DHR may pursue legal action depending on the results of the investigation.

...On July 20, only after ensuring that the information was no longer available on the Internet, DHR sent a letter to each of the affected individuals to advise them of what happened and what steps they can take to protect their identities. ...DHR will pay for credit monitoring for those who are interested in that service and had their information exposed.

For more information or to take advantage of the agency's offer to monitor credit, victims should call 1-800-332-6347 x 3 then 0 before October 29, 2010.

UPDATE July 24, 2010: We have received several calls from victims seeking additional information. The Baltimore Sun reports that the employee who caused the breach has been fired. DHR has not released, and the Liberty Coalition cannot confirm the employee's name; however, the website on which the breach occurred was unified-dsa.com. As of July 24, 2010 the WHOIS Database lists the registrant as "Bouknight, Charles," care of Network Solutions, PO Box 459, Drums, PA. US 18222, .

According to Isabelle Fitzgerald, DHR IT Director, the breached file was an internal monthly report. Social Security Numbers were probably not required to be in that report. One victim who contacted the Liberty Coalition indicated that some of the individuals on the list were deceased, indicating that the report may be months or years old. This report is consistent with dates in the excel file, which indicate that the report may have been created as early as March, 2008. Relevant dates are below:

DateTitleOrigin
03/02/2008"Run Date"Column Name in File
3/11/2008 12:50 PMFile Created DateExcel File Properties
3/17/2008 2:39 PMLast Modified DateExcel File Properties
04/2008"Redet Dt"Column Name in File
06/2008"Redet Due prior Date"Column Name in File
4/27/2010 5:22 PMServer Modified Dateunified-dsa.com server

DHR has not indicated when the file left the control of the agency.

The information on this page was compiled by the Liberty Coalition, which bears sole responsibility for its accuracy.

Copyright © Identity Finder, LLC. All rights reserved. This is a free public service provided by Identity Finder
* Though we make every reasonable effort to ensure this information is accurate, Identity Finder encourages you to investigate and confirm the information on your Personal Privacy Report and other information on this website, before acting upon it. The information given by this website is presented "AS-IS," without any warranty as to its accuracy or fitness for a particular purpose. Nothing on this website shall be construed as legal advice, or as an endorsement by any third party, unless otherwise explicitly stated. If you require legal advice, please seek the advice of legal counsel experienced in this subject area, and licensed in your jurisdiction.