Ohio Governor Changes Security Procedure After Workers’ Data Stolen

June 18, 2007

A 22-year-old intern was given the responsibility of safeguarding the personal information of thousands of state employees, a security procedure that ended up backfiring.

The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said Friday, June 15th.

An additional review of data revealed that the storage device also may have held information about participants in the state’s pharmacy benefits management program and the names and Social Security numbers of their dependents. Strickland has asked Ohio Inspector General Tom Charles to investigate.

What officials don’t know is whether the thief is an unsuspecting common car burglar or a computer-literate opportunist with the capability of unlocking the code encrypting thousands of Social Security numbers.

Either way, Strickland said the security procedure failed, and he issued an executive order to change the practices for handling state data.

Officials were still determining whether the storage device contains any other personal information.

“I don’t mean to alarm people unnecessarily,” Strickland said. “There’s no reason to believe a breach of information has occurred.”

The governor said he was not allowed to specifically describe the computer device or other details surrounding the theft, under direction from law enforcement.

The device, listed in a police report as being worth $15, was reported stolen along with a $200 radar detector out of Jared Ilovar’s car.

A message seeking comment was left for Ilovar, a college senior making $10.50 an hour as an intern with the Office of Management and Budget.

Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping, officials said.

Strickland said it was inappropriate for an intern to be designated that responsibility, and he ordered an end to the practice of employees taking the devices home. State Budget Director Pari Sabety said the device now would be stored in another location in a locked, fireproof box.

It was just the latest case of personal information on thousands of employees disappearing or being inappropriately accessed. Several universities, including Ohio State University and Ohio University, and even the Veterans Affairs Department have reported lost or stolen data.

Was this article valuable?

Here are more articles you may enjoy.