Massachusetts law enforcement personnel tapped into the state criminal records database and inappropriately viewed the personal records of celebrities on dozens of occasions, according to a state audit released Tuesday.

State Auditor Joseph DeNucci conducted a review of the Massachusetts Criminal Justice Information System (CJIS), which is a database of criminal records on every convicted adult in the state, and found that there were hundreds of queries made on the names of famous Massachusetts people and other “high-profile” citizens, the audit report said. In addition, those who accessed the celebrity files did so without any apparent work-related justification.

The CJIS is available to local police departments and state agencies through remote terminals connected to a central network. Beyond the 3.4 million criminal history files stored on the system, it also provides access to driving records, vehicle ownership records, firearms licensing information, birth dates, physical descriptions and Social Security numbers, DeNucci's audit report states.

New England Patriots football star Tom Brady was one of the celebrities whose information was viewed, the Boston Globe reported Wednesday, citing two state officials familiar with the audit. In addition, the Globe reported that Matt Damon, James Taylor, Celtics star Paul Pierce and Red Sox owner John Henry were among the other celebrities whose information was viewed.

Glenn Briere, a spokesman for DiNucci, told SCMagazineUS.com in an email on Wednesday that the auditor's office is not identifying any names of individuals who were subjected to queries.  

“I realize the Boston Globe identified some names in its story, but we are not confirming or denying any of those names,” Briere said.

But, the audit report did say that, “one local celebrity's record revealed 128 events, by dozens of CJIS users, comprised of 968 queries against this individual's personal information.”

Queries for this individual included searches to determine whether he or she had FBI records, a criminal case record with the Massachusetts Board of Probation (BOP), an outstanding warrant, or had purchased any firearms. Users also had access to the individual's registered motor vehicle photo, license number and current home address.

Besides this, there were dozens of other incidents, resulting in hundreds of queries for information on well-known people.

Briere said that the auditor's office was not able to determine who specifically accessed these records because of the system's outdated technology and because of inadequate monitoring of these activities. 

But, improper usage of the system was not necessarily limited to police officers since the system has over 25,000 authorized users from not only police departments, but also agencies, such as the Registry of Motor Vehicles, Department of Corrections, Trial Courts, and District Attorney's offices, Briere said.

The audit report concludes that the Criminal History Systems Board (CHSB), which maintains the CJIS, does not have the control procedures in place to authenticate user groups who have access to the CJIS. In addition, there are no procedures to prevent and detect inappropriate queries to the CJIS.

As a result, sensitive information is at risk of being viewed, altered or destroyed accidentally or deliberately, DeNucci's audit said.

In response to the audit, the CHSB acknowledged that the CJIS is an outdated system written in nearly 30-year old programming language. The CHSB added that until fiscal year 2009, funding to improve the system has not been available.

This is an incredibly common problem, not just limited to Massachusetts or even state governments, Brian Cleary, VP of products and marketing for enterprise access governance vendor Aveksa, told SCMagazineUS.com Wednesday. It's pretty pervasive in the federal government and health care organizations as well, he said.

For example, recently a former U.S. State Department administrative assistant illegally accessed the passport application files of more than 150 people, including celebrities, politicians and friends. In addition, 15 employees were recently fired from Kaiser Permanente Bellflower Medical Center for accessing the medical records of octuplet mother Nadia Suleman without permission. Also, in November, a number of Verizon Wireless employees accessed and viewed President-elect Barack Obama's personal cell phone account without authorization.