State laptops: Still being lost, still vulnerable

Laptops stolen from the N.C. Department of Health and Human Services leave the state computer network vulnerable to hackers and tens of thousands of North Carolinians in danger of identity theft.

None of the dozen DHHS laptops stolen this year was loaded with encryption software, which makes computerized data unintelligible to unauthorized users. Failure to install the software is a violation of state security standards.

The most recent laptop theft – from a Division of Aging and Adult Services employee traveling in Atlanta – compromised personal information of about 85,000 people, including Social Security numbers of thousands of clients. The division announced Friday it was arranging credit fraud alerts for clients left vulnerable, which will cost the state between $25,000 and $30,000.

The credit alert will last 90 days but can be renewed by clients at no charge, according to Aging and Adult Services. Director Dennis Streets said in a statement the division had worked closely with families and local agencies to warn clients about the problem, but noted, “nothing can alleviate all of the concern caused by this incident.”

DHHS said none of the other laptops stolen this year had files containing personal information. Three of the stolen computers were new.

But according to the state Office of Information Technology Services, a DHHS laptop that was reported stolen from a hotel room in April had personal information on it, and two other laptops that may have contained personal data were reported missing in July.

Standards violations

In a Nov. 6 memorandum to DHHS Secretary Dempsey Benton, state Chief Information Officer George Bakolia said leaving laptops vulnerable to hackers is “unacceptable.”

“Failure to encrypt the hard drive on the laptop was a violation of State Security Standards,” Bakolia wrote of the machine stolen last month. “Additionally, DHHS may have been in violation of other standards regarding due diligence in safeguarding information regarding the type and quantity of data stored on a laptop.”

Bakolia's office has pushed DHHS for months to encrypt laptop files because of thefts and possible data breaches, reminding the agency of a statewide encryption contract in place for more than a year.

In an interview Friday, Bakolia said stolen machines leave the state computer network vulnerable to sophisticated intruders.

“It's not only the personal information I'm concerned about,” he said. “A good technical hacker, having access to a unit that is unprotected, they might have the means to enter our state network through a backdoor process.”

DHHS had promised months ago to protect data on its laptops. In an April 9 memo, DHHS Deputy Secretary Dan Stewart wrote that the agency would comply with the encryption standards.

On Friday, DHHS sent a letter to Bakolia explaining that the encryption was time consuming. It said the agency has limited money for technology and has had a difficult time with the logistics of installing security software for almost 500 employees around the state.

“Let me assure you that DHHS management is as concerned as anyone over the protection of confidential data,” said the letter, signed by Stewart on Benton's behalf.

Stewart sent an e-mail Nov. 10 to all DHHS employees prohibiting them from removing any confidential information from an office or secure location unless it is encrypted. DHHS is considering installing tracking systems in laptops to help solve future thefts, the letter said.

Information on the laptop stolen in Atlanta last month included Social Security numbers of 52,391 clients of the state Division of Aging and Adult Services. The last four digits of Social Security numbers were included for 32,645 additional clients.

Poor protection

The laptop disappeared Oct. 25, when a state employee returning from a conference was unloading bags from a car shuttle at the Atlanta airport.

The laptop was password protected. But a citizens advocacy group on personal privacy said passwords offer little protection from knowledgeable thieves.

“Even a teenager could hack into a password protected computer,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego.

State officials sent letters to people whose full Social Security numbers were stolen, with advice on how to place a fraud alert on their credit reports. Those whose partial Social Security numbers were compromised were to get a different letter advising them to be cautious about unusual phone calls or other inquires.

This story was originally published November 15, 2008 at 12:00 AM with the headline "State laptops: Still being lost, still vulnerable."