Equifax Data Breach Could Involve State Agencies but How, to What Extent Not Yet Clear

The information verification services provided by Equifax, compromised in the recent historic data breach, are used by state agencies, but it's unclear whether the public sector will suffer as a result of the incident.

by / September 8, 2017

The true extent and impact of the Equifax data breach that occurred this summer and was made public on Thursday, Sept. 7 is yet to be determined, but officials interviewed by Government Technology said the incident could have considerable intersection with state and local agencies.

Over the past several years, the increasing use of data and analytics technologies has given government agencies better tools to combat fraud, waste and abuse. Among the most targeted programs historically are those in health and human services, which is why many turn to data verification services like Equifax. 

Equifax and its fellow “big three” credit agencies, Experian and TransUnion, offer services of considerable use and value to agencies tasked with confirming information about residents and applicants.

Proposals in several states, modeled after legislation from the Foundation for Government Accountability, a Florida nonprofit active in health care and welfare reform, would subject recipients of assistance to more stringent and more frequent eligibility reviews.

“And the checks could be conducted by private contractors who are motivated to justify their hiring by knocking as many people as possible off the rolls,” Stateline’s Jen Fifield wrote in May.

In April, Fifield noted, Mississippi passed a law requiring a private contractor to stand up a computer system to do a better job of vetting Medicaid and Supplemental Nutrition Assistance Program participants. 

Ohio and Oklahoma have considered similar actions, she noted, while Missouri and Wyoming passed their own such laws last year.

A 2012 Illinois crackdown on Medicaid fraud, utilizing a third-party contractor to identify people who might be ineligible for the program led to nearly 150,000 policy cancellations and savings of an estimated $70 million.

In 2015, the cost of fraud, overpayments and underpayments in assistance programs represented about $136.7 billion, according to Stateline.

Tony Lauro, senior security specialist for public sector at Akamai Technologies, a Massachusetts-based content delivery network and cloud services provider, said the Equifax breach could reveal significant public-sector exposure.

“I think this is one of those types of breaches that kind of crossed platforms of your industry vertical, if you will, because it’s dealing with consumer or user data that is used by many different parties,” Lauro said.

He pointed out that many different agencies and private-sector businesses often have access to a person’s Social Security number and driver’s license number — and unlike our credit card numbers, these high-value pieces of data follow us for life and have a far greater potential for exploitation.

An October 2015 data breach in Georgia underscored this fact, when the Secretary of State's office was alleged to have improperly released private information — including dates of birth and driver's license numbers — to purchasers of voter registration data.

“There needs to be an industry standard of when you notify someone whose data you have when a breach occurs. And this goes for state and local agencies as well. Because if agencies don’t have the trust of their people whose data that they support and need for them to function, there could be a massive breakdown in just how the state and local ecosystems even work,” Lauro said.

In an email, Missouri Chief Information Security Officer Mike Roling said he believes many states may use Equifax “indirectly through the big CMS [Centers for Medicare and Medicaid Services] bridge.”

Equifax Workforce Solutions, a business unit of Equifax Inc., has worked with CMS since 2013. It announced in May 2015 it had been awarded another year-long extension of its ongoing contract with CMS “to provide income and employment verification for Americans applying for health insurance subsidies under the Affordable Care Act.”

CMS said in an August 2013 fact sheet that if it is unable to confirm application data by comparing it with Internal Revenue Service and Social Security Administration information, submissions are then compared with wage data provided from Equifax.

The Equifax data breach announced Sept. 7 is believed to affect as many as 143 million Americans, or more than 44 percent of the U.S. population. But it remains unclear exactly how many states employ Atlanta-based Equifax, and how many may have been affected by the breach.

“Ohio Medicaid does not interface with Equifax,” Brittany Warner, press secretary for the Ohio Department of Medicaid, said via email, meaning the department does not employ Equifax to screen or verify applicant or customer information.

Bret Crow, communications director at the Ohio Department of Job and Family Services, said via email that the agency does use an Equifax service to verify employment status and income, and to determine eligibility for assistance. But Crow said the state believes no data was compromised.

“As we were assured today after speaking with the company, none of the employer-furnished data we query concerns credit card numbers, so no customer data was compromised,” Crow said.

Theo Douglas Staff Writer

Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor's degree in Newspaper Journalism and a Master's in History, both from California State University, Long Beach.