Report: County Employees’ Information Vulnerable to Inappropriate Access
Data about Montgomery County employees — including health records, tax information and Social Security numbers — could be accessed through a weakness in county computers dating back to May 2016, according to a report publicly issued by the Montgomery County Inspector General on Tuesday evening.
A four-page report says the county neglected to install new software to correct the vulnerability or to find the root cause of the problem. Instead, the document says, the county disabled an “access point” that apparently prevented access to the data.
The report, from Inspector General Edward L. Blansitt, doesn’t say when the county disabled the access point. His report says “a data breach” was detected in May 2016, reported to the Department of Technology Services in November 2016 and then to the Office of the Inspector General in November 2017.
The vulnerability, he writes, was contained in off-the-shelf software.
Blansitt’s office released the report, dated March 1, after 5 p.m. Tuesday.
Blansitt says an unnamed contractor reported the weakness and accessed the data “ostensibly to define and demonstrate the problem.”
However, in a two-page reply from Chief Administrative Officer Timothy Firestine, an unnamed contractor was removed from the county contract because his access to sensitive records.
“Out of an abundance of caution, however, and given the number of records accessed by the individual and the extended time period of inappropriate access, the County concluded that the unauthorized acquisition was likely to result in the misuse of the information,” Firestine writes.
Neither Blansitt nor Firestine could be reached for comment.
The county’s enterprise information systems officer is continuing a time-consuming “access audit” of each log entry to make sure personal data was accessed properly, according to both documents.
Blansitt’s report also says recommendations that followed other data breaches could have prevented the one from 2016.
“An external consultant had previously issued findings and recommendations that might have prevented this incident if fully implemented,” the report says. “… [C]onsidering the ‘near miss’ of this and other incidents, we feel strongly that prompt implementation of appropriate recommendations should be given a high priority.”
Here is Blansitt’s report with Firestine’s reply:
Engage us on Facebook
Follow us on Twitter
Tweets by @mymcmedia