IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York Comptroller: Cayuga County Mishandled Personal Data

A recent audit of the Cayuga County Health Department by the state comptroller’s office found that half of the devices assigned to personnel contained some form of sensitive personal data.

(TNS) — A state comptroller's audit found sensitive data was improperly stored on devices used by the Cayuga County Health Department.

The audit focused on 61 devices assigned to health department staff. Auditors determined that 32 of the 61 devices had some form of personal, private and sensitive information on local hard drives, a violation of the county's policy.

According to the comptroller's office, the county has policies regarding the handling of sensitive data, such as how emails are stored. The policy also covers the disposing of devices and ensuring that any sensitive information is removed.

One part of the policy requires sensitive data to be stored on shared network drives and not a device's hard drive.

Auditors noted that county officials, particularly information technology staff, did not have formal written procedures to protect sensitive information. But the report acknowledges that IT staff set up certain safeguards, such as requiring passwords on devices and restricting administrative rights, to restrict access to the data.

"Written procedures with clear instructions for staff to follow help ensure that privileged information is not acquired by a person without valid authorization," the auditors wrote. "When officials do not develop and implement comprehensive written procedures for these key areas, communicate them to applicable staff and continually monitor and update them as necessary, the risk that unauthorized users could access and misuse confidential data, such as PPSI in health and medical records, early intervention student records, or payroll information, without detection is significantly increased."

The comptroller's office issued a handful of recommendations for the county, including the development of formal written procedures to secure sensitive information and setting security levels for the data. The county was also advised to classify the information so they know what's on the devices.

In a letter responding to the audit, Cayuga County Legislature Chairman David Gould wrote that the county is developing a corrective action plan. He also explained that the period covered by the audit was "a challenging time" for the county's IT department. The county hired a chief information officer in July 2021 while the audit was ongoing.

©2022 The Citizen, Distributed by Tribune Content Agency, LLC.