Theft of Ohio Data Storage Device Includes SSNs of all State Employees

Ohio Governor Ted Strickland announced Friday that the names and social security numbers of all 64,467 state employees were contained on a computer back-up device that was stolen on Sunday, June 11, but also emphasized that the data would be very difficult for a thief to access.

"I have asked the Ohio Highway Patrol to lead the investigation to recover the device," Strickland said. "Also, I have directed the Department of Administrative Services to secure the opportunity for state employees to access free identity theft prevention and protection services for one year."

It was determined the device contained personal employee information after reviewing 338,634 files in 24,333 folders over four days.

Tuesday it appeared that some of those 338,634 files might have contained names and social security numbers. After two days of review, it was determined that the names and social security numbers for all state employees were on the device.

DAS Director Hugh Quill notified state employees Friday morning via e-mail. The governor also said a letter will be sent to each employee's home, and a Web site went live to provide ongoing information for employees and the public regarding the situation.

Sunday, Strickland announced that he will seek to engage Matthew Curtin, a nationally known expert on information technology, security and data forensics, to assist with the state's ongoing review of the information in the stolen data device. Curtin is the founder of a Columbus-based firm, Interhack, dedicated to computer trustworthiness and information protection.

"Our review of the information in the stolen data device will continue until we have determined, with the assistance of this nationally recognized data forensic expert, that we have identified every piece of sensitive information contained in the device," Strickland said. "We will continue to inform the public as new information becomes available."

The following information was contained on the stolen medium:

• School district and local government Electronic Funds Transfer -- The files include school district names, local government names, and school district and local government bank account information. There are 2,685 records. The State Data Review Team is working under the assumption that this file includes all local governments and school districts.

• Medicaid provider EFT -- The files include Medicaid provider names, tax identification numbers, address and bank account information. There are 159,708 records in this file. The State Data Review Team is working under the assumption that this includes all Medicaid providers. Many of the records are likely duplicates.

• State Employees STRS Payment -- This file contains the names, social security numbers and STRS account numbers for the 1,031 state employees who are teachers in the State Teachers Retirement System. The 1,031 includes current state employees whose information was already known to be in the data device. It also includes state employees who have retired since 12-21-05 who pay into STRS because the file was created on that date.

• Electronic Funds Transfer Reimbursement -- This file includes information pertaining to 28,362 state employees and vendors who are recipients of Electronic Funds Transfers.

As of Sunday, the 17th, it was made known that the data also included:

• Information Related to Uncashed Temporary Assistance for Needy Families (TANF) Payments -- The file contains individual TANF recipient's names and TANF case ID numbers. Together, this information is considered confidential; however, it poses a remote threat of identity theft. The file contains 153,517 records. This file is believed to contain duplicates because Ohio's TANF caseload is approximately 84,000.

• Payroll Vendors -- The file includes the name and federal tax identification number of vendors that receive payroll deduction payments from the State of Ohio. Approximately 1,200 records are included on this file. Additionally, 16 of those records contain vendor banking information. The

• State Data Review Team is continuing to analyze this file for additional information.

Because the data was contained on a specialized medium, Strickland said it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so.

The theft of the device happened when a state intern's car was broken into. Electronic data management standards at the intern's worksite call for one set of backup data to be stored off-site and the intern had been inappropriately designated to store the data at his home.

The governor has ordered the cessation of this data management practice, a review of the events that led to the data being compromised, and will take appropriate disciplinary action when the facts are known.

The governor has directed by executive order that state information technology managers immediately review, and if necessary change, the procedures for handling back up information to ensure that information is secure at all times.

"I urge all state employees to visit the State Employee Identity Protection Web site," said Strickland, "to learn how to sign up for free identity theft prevention services."