Erie County’s Department of Social Services potentially imperiled the privacy of hundreds of county residents seeking benefits because of the sloppy and inefficient way in which workers disposed of old records, according to an ongoing audit by the county comptroller’s office.
Comptroller Stefan I. Mychajliw said department employees have been careless in how they discarded of sensitive data that the county received from individuals who applied and re-applied for government assistance. Among the inappropriately discarded documents, he said, were copies of birth certificates, personal medical records, Social Security numbers, bank accounts, tax returns, inmate records, payroll information, court records and passports.
“This is mind-blowing for two reasons. First, this would have been an identity thief’s dream. Also, this supposedly highly confidential material that our auditors were not allowed to look at, Social Services was dumping in unlocked boxes and bins and leaving them at the curb,” Mychajliw said.
The comptroller said the administration of County Executive Mark C. Poloncarz has been attempting to block an audit of the eligibility and recertification process within the Medicaid unit of the Social Services Department in order to safeguard the confidentiality of applicants.
A spokesman for the county executive’s office acknowledged the problem, but he clarified on Monday that the deficiencies were addressed before the comptroller’s office made them public.
“It’s something we have already taken action on,” said Mark Cornell, director of policy and communications for the county executive’s office.
In a May 8 letter addressed to the comptroller, Deputy County Executive Richard M. Tobe said the administration had begun to address the matter back in April.
“We discovered some weaknesses in the security and destruction process and have moved aggressively to cure all defects,” Tobe wrote.
On Monday, Cornell said it was a worker in the Department of Social Services who alerted the administration about the potential breach in security. He said it was discovered that some workers in the department had been discarding sensitive documents in the totes meant for recycling instead of placing them in the locked and secured totes that are intended for documents that will be shredded.
Cornell accused the comptroller of having a political motivation for releasing the information.
“We find his concern very disingenuous, considering he has known about the problem for months. And instead of doing something, he chose to allow sensitive documents to continue to be compromised while waiting to fit this into his busy media schedule,” Cornell said. “While the administration, on the other hand, when finding out of the potential issue, took action immediately.”
Mychajliw said that the potential disclosure of confidential information to unauthorized individuals is a serious matter.
“The law is clear. DSS workers violated numerous privacy laws and regulations,” Mychajliw said in a letter to Deputy Erie County Executive Richard M. Tobe filed with the Erie County Legislature on Friday.
In the letter, Mychajliw revealed that his office took possession of discarded documents from 1,700 Department of Social Services cases that were obtained from an unsecured recycling bin placed outside the county building.
“They are now, unfortunately, public documents, because you put them in the garbage,” the comptroller wrote.
The comptroller’s office still has the documents.
An earlier letter from Tobe to Mychajliw had asked if the comptroller’s office had removed any confidential social services records, saying, “I have been advised ... that members of your office, perhaps including you personally, were observed entering a secure DSS storage area in the sub-basement of the Rath Building and reviewing paper items from recycling totes.”
Mychajliw on Friday told The Buffalo News that he asked a janitor to retrieve the unsecured bin and deliver it to the comptroller’s office.
“Anyone could have walked in the basement of the Rath Building and walked out with almost 2,000 documents,” Mychajliw said.
The comptroller also accused the administration of being lax in reporting the breach of security to the appropriate state and federal authorities.
That prompted another round of finger-pointing, as Cornell questioned whether the comptroller neglected a duty to report the breach.
“Wouldn’t it be the responsibility of the comptroller as a member of county government?” Cornell asked. “If he felt so strongly, why did he wait for over a month to notify the administration instead of keeping it under his hat to use for political gain afterward?”
Mychajliw retorted: “They knew we were looking at their controls.”
“We’re proud of the fact that our audit has been able to identify a serious security breach and that the administration has moved to fix it. However, the administration should not be passing the buck,” he added.
There was no indication whether any social services recipient’s information might have been misused by identity thieves before the security lapse was corrected.