Forms containing the sensitive information of about 140,000 parents of newborns are at risk for compromise after they were not shredded upon disposal, the Georgia Department of Human Resources (DHR) has told parents in a letter.
DHR, which oversees the state Division of Public Health, said in the letter mailed last week that it improperly discarded records containing the Social Security numbers and medical histories of parents whose babies were born in the state between April 2006 and March 16 of this year.
Stuart Brown, director of the division, called the incident "a tremendous mistake," but said there is no evidence any of the data has been misused, according to media reports. The records did not contain any names or addresses, but did include data about parents' race, education, pregnancy care and information about the delivery.
Lisa Moery, spokeswoman for the DHR, told SCMagazine.com today that the incident came to light after an investigative reporter for a local television station discovered the records in March in trash bins outside a facility.
"We weren’t aware of it until last week," Moery said.
In a separate message posted on the agency’s website, Brown advised parents to place a fraud alert with one of the three major credit-reporting agencies. He added that the state Office of Vital Records soon will contact affected people "to verify specific data and provide individuals with additional information."
Brown told the Atlanta Journal-Constitution that hospitals submit the records to the state with birth certificates. The forms are supposed to be shredded after information in them is entered into computers.
However, Brown told the paper, the information was never destroyed because of a staff turnover. He promised offenders would be disciplined.
DHR has since instituted new confidentiality policies and procedures, trained all Vital Records staff on properly disposing of personal information and implemented updated shredding machines, according to a statement.
Kevin Simzer, chief marketing officer of Entrust, told SCMagazine.com that technology doesn't matter unless organizations ensure employees understand the value of sensitive data while also having the proper policies in place.
"It sounds like they really didn’t have these things in place," Simzer said.
Phil Neray, vice president at Guardium, told SCMagazine.com that organizations must establish "data-centric security cultures" to get employees thinking about safeguarding information.
This is not the first information security breakdown in Georgia state government. Last year, a contractor lost a disk containing the names, birth dates and Social Security numbers of 2.9 million health services recipients.
Get more IT security news. Click here for SC Magazine Blogs.