May 17, 2013
Mr. Richard M. Tobe, Esq.Deputy Erie County ExecutiveRath Building, 16th Floor95 Franklin StreetBuffalo, NY 14202
Dear Deputy County Executive Tobe:
We are in receipt of your correspondence dated May 8th, 2013. Even though we are still in the middle of our audit we feel compelled now to address a serious security issue involving the Department of Social Service’s (DSS) improper disposal of highly sensitive documents containing personal information of many Erie County residents. Due to the lack of sufficient internal controls and the lack of sufficient monitoring activities, the Department of Social Services has allowed for the disclosure of confidential information that is a violation of federal and state regulations.
You state in your letter that your Administration is committed to securing client, employee and other data that is required to be confidential and/or securely maintained. This rhetoric is not supported by facts. By your own admission, confidential records must be securely maintained but were placed in unsecured totes by your employees and placed outside of the Rath Building on the loading dock for pickup by a recycling company. Unfortunately these documents were readily accessible to anyone walking by the loading dock, to anyone near or in the recycling truck and to persons at the recycling facility.
Placing these documents in a place where they are available to someone other than the data subject is considered disclosure of personal and confidential information, which is prohibited by both federal and state regulations.
Only until our audit began to determine whether or not you were placing highly confidential information in unsecured boxes and totes did you take steps to rectify this serious security breach. Our office is pleased that once our audit brought this serious matter to your attention that you took steps to stop putting highly sensitive and personal documents of Erie County residents in the trash in unsecured totes without protecting people from identity theft.
What is most troubling about this process is that the records your employees have been carelessly discarding in the garbage in an unsecured manner are the same documents DSS claims are so sensitive in nature that our auditors cannot look at them. Auditors from the Office of Comptroller have been denied access to records that would supposedly violate privacy regulations, yet your workers have been placing the very same documents in open boxes in an unlocked, unsecured storage room in the Rath Building or in unsecured bins on the loading dock that allowed anyone walking by to retrieve them.
Facts show the Department of Social Services (DSS) workers were discarding highly confidential and personal information of individuals who were applying and re-applying for Temporary Assistance (TA):
- Your Administration is responsible to notify the State of New York and the Federal government that you inappropriately disclosed confidential information by simply throwing highly confidential, personal documentation in the trash.
- Your Administration did not protect the identities of thousands of Erie County residents by not securing and properly disposing of highly sensitive documents of children and adults including, but not limited to copies of: birth certificates, personal medical information, social security cards, social security numbers, passports, payroll records, inmate records, court records, tax returns, and bank account numbers
- As far as we are aware, your Administration never contacted individuals who applied for services provided by the Erie County Department of Social Services to notify them exactly how you were irresponsibly disposing of their most sensitive documents, to inform them that your lack of controls put them at risk for being the victims of identity theft
Facts show your Administration left thousands of Erie County residents vulnerable to identity theft by leaving their most personal documentation unsecured and accessible to persons other than the data subject. These highly sensitive documents were left unsecured in an unlocked part of the Rath Building, discarded in unsecured totes which were then taken to the loading dock for pickup by a recycling company, accessible to the public.
Your own employees have been putting Erie County residents at risk by placing their most sensitive records and documentation in unsecured boxes and recycle bins. Highly sensitive documents were placed in open bins and boxes in an unlocked area of the basement of the Rath Building, where they were then taken to the loading dock for recycling. Anyone could have retrieved the highly personal documents of the people we serve by simply taking them out of the unsecured bins.
You wrote that in late March 2013, you were made aware that there was a potential issue with the disposal of confidential records. Does this mean that there were no written policies and procedures in place at the time so that you were not able to determine if there was an issue or not? How were you made aware that there was an issue with the disposal of confidential records? What weaknesses in the process did you discover? What policies were in place regarding the disposal of confidential records at the time when you were made aware of this situation? Have the processes that were in place been changed? What new processes have been implemented?
By your own admission, documents containing confidential information were placed in unsecured totes and required that certain actions be immediately taken to secure all totes. This could be interpreted that management did not have sufficient internal controls in place to prevent and/or detect the inappropriate and PROHIBITED disclosure of confidential information.
Let me remind you that management not only has a responsibility for implementing sufficient control activities over processes but more importantly, it is also management’s responsibility to provide ongoing monitoring activities to ensure that the internal controls in place are performing as intended.
You also state: “there will always be some employees in any organization who do not comply with policy or behave irresponsibly.” Did you find that an Erie County employee did not comply with County policy or behaved irresponsibly? If so, what policy(s) was not complied with and/ or irresponsible behavior took place and what has been done to ensure that this doesn’t re-occur?
It appears your Administration did not have effective internal controls over the storage and disposal of confidential documents, nor were there effective monitoring activities in place to ensure that controls were working as intended. If there were, the disclosure of confidential information might have been prevented and management may have detected, in a timely manner, when an employee(s) are not complying with established policy and/or behave irresponsibly.
The fact that this deeply disturbing security breach of dumping highly confidential information in the garbage without protecting taxpayers was not detected in a timely manner shows the troubling lack of sufficient internal controls within the Department of Social Services (DSS). This issue hasn’t been around for a few weeks or months. It appears it goes back many years and was not detected by your employees until our audit began.
Your Administration did not protect the identities of thousands of Erie County residents by not securing and properly disposing of highly sensitive documents of children and adults including, but not limited to copies of: birth certificates, personal medical information, social security cards, social security numbers, passports, payroll records, inmate records, court records, tax returns, and bank account numbers.
Your Administration admitted that you discovered some weaknesses in security and destruction processes. This is a massive understatement. Your Administration is responsible for leaving our most vulnerable residents open to have their identities stolen, and as far as we are aware, your employees did not report it to New York State and the Federal government as required by law, and you did not let the people we serve know that you threw their most sensitive records in the garbage, unsecured. Thankfully our audit of your controls brought the issue to light, brought it to your attention, and we will determine in our audit whether or not the new controls put in place protect the identities of those applying for Temporary Assistance.
You also state that you have responded to concerns about the security of documents and the “potential” for documents to be “inappropriately disposed.” This statement is inaccurate. There are no issues whether or not there was the “potential” that DSS exposed thousands of Erie County residents to the perils of identity theft. This took place. Confidential documents were inappropriately disposed of. We found this serious breach of security as part of our audit, and your employees did nothing about it for months and even years prior.
Our audit has determined that documents containing confidential information were placed in unsecured recycle totes or open boxes, were left in an unsecured and unlocked area of the Rath Building where anyone could have retrieved them, and then the unsecured totes were subsequently taken and placed on the loading dock, outside of the County building, accessible to the public.
Documents with confidential information were disposed of in unsecured totes, placed outside of the county building, and then picked up by a recycling company in trucks that could be left unattended and the documents readily accessible to the public. Documents that contained confidential information were place in unsecured totes, placed in trucks with no guarantee that the totes actually arrived at the recycling facility. If a tote arrived at the facility, employees of the recycling company SORT documents with confidential information, once again, disclosing confidential information to the public.
In addition, as you are well aware, the Audit Division has been attempting to conduct a performance audit of the eligibility and recertification processes within the Medicaid unit of DSS.
Once notified that we wanted to commence an audit of the Medicaid eligibility and recertification processes, Commissioner Dankert requested a legal opinion regarding the Erie County Comptroller’s ability to access Medicaid applications and files in furtherance of this audit. Thomas Kubinec responded to her request in a letter dated February 20th, 2013.
In this letter reference is made to New York State Social Services Law § 367(b) and § 369(4) that requires Medicaid information to be confidential. The letter goes on to say that the county DSS would violate HIPAA and SSL if it were to tender the entire application and/or file to the Comptroller.
The letter further states that the County could provide individually identifiable information to the Comptroller by following the de-identification standard and implementation specifications in 45 CFR 164.514(a)-(b).
Information that must be redacted prior to disclosure includes (but is not limited to): names, addresses, all elements of dates, phone numbers, fax numbers, electronic mail addresses, social security numbers, medical record numbers, certificate/license numbers.
Documentation containing individually identifiable information was not redacted prior to being inappropriately disposed of by being placed in unsecured recycling totes and placed outside of the Rath building where it was accessible to the public.
We find it disturbing that DSS went to such great lengths to determine that the Comptroller’s office would not be able to access any Medicaid files unless such records were redacted as per the above mentioned regulation, yet the exact same documentation that we wanted to review was carelessly discarded in a manner that was readily accessible to the public.
While performing a walkthrough of the processes involved in the eligibility and recertification processes for Temporary Assistance, our Auditors were shown the process for the scanning, storage and disposal of original documentation. We were shown that documents were placed in unsecured recycle totes for destruction. Our office had no knowledge of the disposal process after that point.
We were not provided with any departmental policies or procedures regarding the scanning, storage or disposal of original documentation so we were not able to assess what the procedure should be or if internal control activities within this process were sufficient.
Our subsequent review of the process revealed that at no point during the disposal process were the recycle bins secured prior to being placed outside of the building and placed in recycle trucks. Documents containing confidential information were inappropriately disposed of in violation of numerous regulatory requirements some of which are listed at the end of this correspondence.
Audit has in its possession documents from 1,700 DSS cases that we obtained from an unsecured recycle bin placed outside of the County Building accessible to the public. They are now unfortunately public documents because you put them in the garbage. Your workers unfortunately made them public documents by placing them in unsecured cardboard boxes and bins in an unlocked and unsecured portion of the Rath Building, and then placed the highly sensitive documents outside of the Rath Building where any member of the public could have taken them.
Please be assured that all the copies of documents in our possession are safely secured. Some of the confidential information that we obtained includes but is not limited to copies of:
- Birth certificates
- Social security cards
- Social security numbers on various county forms
- Payroll records
- Personal medical information
- Inmate records
- Personal bank account numbers
- Tax returns
- Court records
The disclosure of confidential information is a serious matter. The law is clear. DSS workers violated numerous privacy laws and regulations. NYS Personal Privacy Protection Law protects individuals against disclosures of personal information without their consent, except in circumstances specified in the law.
If you have not already done so you must report this disclosure of confidential information to both the Federal and State authorities immediately. You must also inform Erie County taxpayers that their confidential information has been inappropriately disclosed. There are also remedies available to persons whose confidential information was inappropriately disclosed:
NYS Personal Privacy Protection Law § 97 Civil remedies states:
(l) Any data subject aggrieved by any action taken under this article may seek judicial review and relief pursuant to article seventy-eight of the civil practice law and rules
(2) In any proceeding brought under subdivision one of this section, the party defending the action shall bear the burden of proof, and the court may, if the data subject substantially prevails against any agency and if the agency lacked a reasonable basis pursuant to this article for the challenged action, award to the data subject reasonable attorneys’ fees and disbursements reasonably incurred.
(3) Nothing in this article shall be construed to limit or abridge the right of any person to obtain judicial review or pecuniary or other relief, in any other form or upon any other basis, otherwise available to a person aggrieved by any agency action under this article.
Privacy Act of 1974 § 552a.
(g)(1) Civil remedies
Whenever any agency (D) fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.
(i)(1) Criminal penalties: Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e) (4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
Because of the remedies available to them, your Administration is required to inform the individuals whose confidential information was inappropriately disclosed that this occurred. Since there are criminal penalties that could possibly be assessed on County employees, your Administration was responsible and continues to be responsible to report this event to federal and state agencies. We are not aware that any of these actions have taken place.
Please provide us with your detailed plan for these communications as soon as possible.
We have included further legal documentation that clearly shows DSS workers should have immediately reported how they were disposing of highly sensitive records for months and even years prior:
1. Medicaid Confidentiality Regulations and standards as established by § 1902(a) (7) of the Social Security Act (42 USC § 1396a (a) (7)):
FEDERAL MEDICAID CONFIDENTIALITY STANDARDS:
The federal Medicaid confidential data standard is established by §1902(a)(7) of the Social Security Act (42 USC §1396a(a)(7)). The law requires that a “State plan for medical assistance must: (7) provide safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan.”
STATE MEDICAID CONFIDENTIALITY STANDARDS:
Federal Medicaid confidentiality standards have been implemented in State law in various provisions of the Social Services Law (SSL), and the Social Services regulations at Title 18 NYCRR §369 of the SSL provides that all information received by social services and public health officials and service officers concerning Medicaid applicants and recipients may be disclosed or used only for purposes directly connected with the administration of the Medicaid program. Also, pursuant to § 367b(4) of the NY Social Services Law, information relating to persons APPLYING FOR medical assistance shall also be considered confidential and shall not be disclosed to persons or agencies without the prior written approval of the New York State Department of Health.
18 NYCRR §357.5 sets forth specific procedures for storing and using individually identifiable information. These procedures apply to all recipient identifying information, including Medicaid data, maintained by the Department of Health, local social services districts, and other authorized agencies. Records containing individually identifiable information must be marked ‘’confidential’’ and kept in locked files or in rooms that are locked when the records are not in use. When in use, records must be maintained in such a manner as to prevent exposure of individual identifiable information to anyone other than the authorized party directly utilizing the case record.
No records can be taken from the place of business without prior authorization by supervisory staff of the Department of Health, the local social services district, or other authorized agency, nor can records be taken home by agency staff except upon prior supervisory authorization.
Records must be transmitted from one location to another in sealed envelopes stamped ‘’confidential’’, and a receipt must be obtained documenting delivery of the records. Interviews with clients must be conducted at a location and in a manner which maximizes privacy.Medicaid program administration employees of the Department, Social Services, local social services districts, and other authorized (via M.O.U.) agencies are permitted access to individual identifying information only where their specific job responsibilities cannot be accomplished without access to individual identifying information.
2. NYS Personal Privacy Protection Law § 92, 94, and 96:
§ 92 Definitions:
(4) Disclose. The term "disclose" means to reveal, release, transfer, disseminate or otherwise communicate personal information or records orally, in writing or by electronic or (by) any other means other than to the data subject.
§ 94 Agency obligations.
(1) Each agency that maintains a system of records shall:
(h) establish appropriate administrative, technical and physical safeguards to ensure the security of records;
(i) establish rules governing retention and timely disposal of records in accordance with law;
(j) designate an agency employee who shall be responsible for ensuring that the agency complies with all of the provisions of this article;
3) Each agency, for disclosures made pursuant to paragraphs (d), (i) and (l) of subdivision one of section ninety-six of this article, except for disclosures made for inclusion in public safety agency records when such record is requested for the purpose of obtaining information required for the investigation of a violation of civil or criminal statutes within the disclosing agency, shall:
(a) keep an accurate accounting of the date, nature and purpose of each disclosure of a record or personal information, and the name and address of the person or governmental unit to whom the disclosure is made;
§ 96 Disclosure of records.
(1) No agency may disclose any record or personal information unless such disclosure is:
(a) pursuant to a written request by or the voluntary written consent of the data subject, provided that such request or consent by its terms limits and specifically describes:
(i) the personal information which is requested to be disclosed;
(ii) the person or entity to whom such personal information is requested to be disclosed; and
(iii) the uses which will be made of such personal information by the person or entity receiving it; or
(b) to those officers and employees of, and to those who contract with, the agency that maintains the record if such disclosure is necessary to the performance of their official duties pursuant to a purpose of the agency required to be accomplished by statute or executive order or necessary to operate a program specifically authorized by law; or
(c) subject to disclosure under article six of this chapter unless disclosure of such information would constitute an unwarranted invasion of personal privacy as defined in paragraph (a) of subdivision two of section eighty-nine of this chapter; or
(d) to officers or employees of another governmental unit if each category of information sought to be disclosed is necessary for the receiving governmental unit to operate a program specifically authorized by statute and if the use for which the information is requested is not relevant to the purpose for which it was collected; or
(e) for a routine use, as defined in subdivision ten of section ninety-two of this article; or
(f) specifically authorized by statute or federal rule or regulation; or
(g) to the bureau of the census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title XIII of the United States Code; or
(h) to a person who has provided the agency with advance written assurance that the record will be used solely for the purpose of statistical research or reporting, but only if it is to be transferred in a form that does not reveal the identity of any data subject; or
(i) pursuant to a showing of compelling circumstances affecting the health or safety of a data subject, if upon such disclosure notification is transmitted to the data subject at his or her last known address; or
(j) to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state or for evaluation by the state archivist or his or her designee to determine whether the record has such value; or
(k) to any person pursuant to a court ordered subpoena or other compulsory legal process; or
(l) for inclusion in a public safety agency record or to any governmental unit or component thereof which performs as one of its principal functions any activity pertaining to the enforcement of criminal laws, provided that, such record is reasonably described and is requested solely for a law enforcement function; or
(m) pursuant to a search warrant; or
(n) to officers or employees of another agency if the record sought to be disclosed is necessary for the receiving agency to comply with the mandate of an executive order, but only if such records are to be used only for statistical research, evaluation or reporting and are not used in making determination about a data subject.
§ 96-a. Prohibited conduct.
1. Beginning on January first, two thousand ten the state and its political subdivisions shall not do any of the following, unless required by law:
(a) Intentionally communicate to the general public or otherwise make available to the general public in any manner an individual's social security account number. This paragraph shall not apply to any individual intentionally communicating to the general public or otherwise making available to the general public his or her social security account number.
3. Privacy Act of 1974 5 USC § 552 (b) and (e10)
(b) Conditions of disclosure:
No agency shall disclose any record, which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be
(1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;
(2) required under § 552 of this title;
(3) for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section;
(4) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title 13;
(5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;
(6) to the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;
(7) to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;
(8) to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual;
(9) to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;
(10) to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office;
(11) pursuant to the order of a court of competent jurisdiction; or
(12) to a consumer reporting agency in accordance with § 3711(e) of Title 31.
e) Agency requirements:
Each agency that maintains a system of records shall establish appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained;
4. NYS Codes, Rules and Regulations, Social Services Law - Assistance and Care Title 1 - § 136 Protections of Public Welfare Records:
1. The names or addresses of persons applying for or receiving public assistance and care shall not be included in any published report or printed in any newspaper or reported at any public meeting except meetings of the county board of supervisors, city council, town board or other board or body authorized and required to appropriate funds for public assistance and care in and for such county, city or town; nor shall such names and addresses and the amount received by or expended for such persons be disclosed except to the commissioner of social services or his authorized representative, such county, city or town board or body or its authorized representative, any other body or official required to have such information properly to discharge its or his duties, or, by authority of such county, city or town appropriating board or body or of the social services official of the county, city or town, to a person or agency considered entitled to such information. However, if a bona fide news disseminating firm or organization makes a written request to the social services official or the appropriating board or body of a county, city or town to allow inspection by an authorized representative of such firm or organization of the books and records of the disbursements made by such county, city or town for public assistance and care, such requests shall be granted within five days and such firm or organization shall be considered entitled to the information contained in such books and records, provided such firm or organization shall give assurances in writing that it will not publicly disclose, or participate or acquiesce in the public disclosure of, the names and addresses of applicants for and recipients of public assistance and care except as expressly permitted by subdivision four. If such firm or organization shall, after giving such assurance, publicly disclose, or participate or acquiesce in the public disclosure of, the names and addresses of applicants for or recipients of public assistance and care except as expressly permitted by subdivision four, then such firm or organization shall be deemed to have violated this section and such violation shall constitute a misdemeanor. As used herein a news disseminating firm or organization shall mean and include: a newspaper; a newspaper service association or agency; a magazine; a radio or television station or system; a motion picture news agency.
2. All communications and information relating to a person receiving public assistance or care obtained by any social services official, service officer, or employee in the course of his or her work shall be considered confidential and, except as otherwise provided in this section, shall be disclosed only to the commissioner, or his or her authorized representative, the commissioner of labor, or his or her authorized representative, the commissioner of health, or his or her authorized representative, the welfare inspector general, or his or her authorized representative, the county board of supervisors, city council, town board or other board or body authorized and required to appropriate funds for public assistance and care in and for such county, city or town or its authorized representative or, by authority of the county, city or town social services official, to a person or agency considered entitled to such information. Nothing herein shall preclude a social services official from reporting to an appropriate agency or official, including law enforcement agencies or officials, known or suspected instances of physical or mental injury, sexual abuse or exploitation, sexual contact with a minor or negligent treatment or maltreatment of a child of which the official becomes aware in the administration of public assistance and care nor shall it preclude communication with the federal immigration and naturalization service regarding the immigration status of any individual.
5. Health Information Portability and Accountability Act (HIPAA)
6. NYS Social Services law Sec 367(b) and 369(4)
By haphazardly disposing of highly confidential documents your Administration has disclosed confidential information of many Erie County residents, you should have reported this some time ago to the State of New York, the Federal government and Erie County taxpayers. Please inform the Erie County Office of Comptroller exactly how and when DSS is reporting this security breach to the State of New York, Federal government and Erie County Taxpayers.
We will keep you informed on the progress of our audit of Temporary Assistance and when our work is complete.
Stefan I. Mychajliw
Erie County Comptroller
cc: Erie County Legislature
Erie County Fiscal Stability Authority
Erie County Attorney Michael Siragusa
Carol Dankert, Commissioner of Social Services