California's social services department has come under fire for its lacklustre efforts to notify 1.4 million Californians that their personal information may have been stolen by hackers.
Four members of the California legislature have criticised the department's decision just to send out a press release about the unauthorised access as "not the most effective way to communicate with workers and affected elderly and disabled clients".
They say each client and worker should be individually infomed so they can personally check and see if they have been a victim of identify theft.
Under a California privacy law that came into effect last year, businesses and public agencies have to inform individuals when an unauthorised person accesses their names plus their social security numbers, driving licence number or credit/debit card number and PIN.
The incident happened when data was being used with the department's consent by a University of California researcher. Hackers apparently accessed a computer containing personal information on 1.4 million recipients and providers of home care services to low-income elderly and disabled Californians. Names, addresses, telephone and social security numbers, and birth dates may have been stolen.
"The efforts of the department have not reached a sufficient number of the home care clients so far," said Hans Hemann, chief of staff for California Assembly member Loni Hancock.
The press release was sent to about 500 newspapers, TV and radio stations, and the department set up a free 30-line call centre to answer questions. "They received fewer than 100 phone calls," said Hemann.
It is not yet known if any personal information from the incident has been compromised. "I'm not sure the clients were aware that their information was potentially used, therefore we haven't had any reports," Hemann said.
The department has also been taken to task for the length of time it took to disclose the potential information theft. It has been over two and a half months since the security breach occurred and one and a half months since the University of California detected the problem.
Similar security incidents have previously occurred in California. In September, a hard drive containing the names, addresses and social security numbers for 23,000 students, faculty members and employees at seven California state university campuses was apparently thrown away accidentally after the drive was replaced by a technician.
Todd Weiss writes for Computerworld