Thursday, April 7, 2011

State Dept eMED data breach: info not disclosed to others but advises employees to get credit reports

We've posted previously about the data breach at the State Department relating to approximately 250,000  medical records of its employees and other USG employees working at other agencies (see Alleged Fake Amcits Had Contract Jobs at State Dept, Held Security Clearances)

We sent off the following questions to the State Department Medical Director (got an out of office response), the Medical Records Office (got a canned response thanking us for our medical clearance submission), and a couple of other offices:
  • What type of information was obtained?
  • What happened to the information illegally obtained by the contractor?
  • When and how was the breach discovered?
  • If the defendant was not discovered to have committed the alleged immigration fraud, would the State Dept Office of Medical Services have discovered the breach in its medical database?
  • Now that eMed had been breached how do employees and family members protect themselves?
The following is the response we got from a State Department official:

During the course of an unrelated investigation, Federal investigators informed the Office of Medical Services (MED) that a long-term IT contractor employed in MED had improperly retained personally identifiable information (PII) from a State Department medical database.  The contractor's employment had been terminated by his company last year.

The information retained by the contractor includes personally identifiable information (PII) associated with our medical clearance database,  such as name, address, and in some, but not all, cases, social security numbers and employing agency.  In some instances, the status of medical clearance - worldwide, limited, pending or not cleared for overseas - was included.  In addition, some entries included medical clearance blood test results.

The data that was in the possession of the contractor has been reviewed by the Department.  From information received to date, there is no indication that this information was disclosed to others.  The investigation is ongoing, and we are monitoring the situation closely.   MED's review to date shows that the information retained by the contractor did not include physician notes, treatment records, emails, scanned documents, or financial information.

The Department has provided guidance to its employees on this situation.  We have sent letters to other agencies of those employees who may be affected by this incident.  We are advising them to obtain a credit report ( and be alert to any unusual activity in credit card or bank accounts.  State and non-State staff can send specific inquiries to a specially designated email address.  We are also working to inform retirees who may be affected.

Because this incident is still under investigation, we cannot comment further at this time.

The response we got did not include the specifically designated email address, presumably that and the guidance to employees are available in the intranet. If you are an eligible family member with a deployed spouse and no access to the intranet, check with your Health Unit or your admin officer.

Note that you are entitled to receive one free credit report every 12 months from each of the nationwide consumer credit reporting companies (TransUnion, Equifax, Experian). You can order all three credit reports at the same time and compare them but won't be able to request the free credit reports for another 12 months.  You can also request one credit report every four months so that you can keep track of any changes or new information that may appear on your credit report. Read more here.

No comments: