A 22-year-old intern was given the responsibility of safeguarding the personal information of thousands of state employees, a security procedure that ended up backfiring.
The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said.
An additional review of data revealed that the storage device also held information on 53,797 participants enrolled in the state’s pharmacy benefits management program, as well as names and Social Security numbers of about 75,532 dependents, the governor’s office confirmed Saturday. Strickland has asked Ohio Inspector General Tom Charles to investigate.
What officials don’t know is whether the thief is an unsuspecting common car burglar or a computer-literate opportunist with the capability of unlocking the code encrypting thousands of Social Security numbers.
Either way, Strickland said the security procedure failed, and he issued an executive order to change the practices for handling state data.
Officials were still determining whether the storage device contains any other personal information.
“Obviously, I feel badly this has happened, on a human level. As an executive, I’m trying to be transparent and we’re looking for ways to mitigate any harm. I remain hopeful there will be no breach of private information,” Strickland said.
$15 storage device
The governor said he was not allowed to specifically describe the computer device or other details surrounding the theft, under direction from law enforcement.
The device — listed in a police report as being worth $15 — was reported stolen along with a $200 radar detector out of Jared Ilovar’s car.
A message seeking comment was left for Ilovar, a college senior making $10.50 an hour as an intern with the Office of Management and Budget.
Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping, officials said.
Strickland said it was inappropriate for an intern to be designated that responsibility, and he ordered an end to the practice of employees taking the devices home. State Budget Director Pari Sabety said the device now would be stored in another location in a locked, fireproof box.
It was just the latest case of personal information on thousands of employees disappearing or being inappropriately accessed. Several universities, including Ohio State University and Ohio University, and even the Veterans Affairs Department have reported lost or stolen data.
In the Ohio case, Dawn Rice, an employee in the state Senate clerk’s office, wasn’t that bothered that sensitive information was being transported in cars on inexpensive equipment.
“I think it’s not that big of a deal,” she said. “The person who stole it would really have to know what he’s doing.”