Four members of the California state assembly are pressuring the state"s Department of Social Services (DSS) to immediately improve its attempts to notify 1.4 million state residents that their personal information may have been stolen by hackers in August.
In a letter Wednesday to Kim Belshe, secretary of the state"s Health and Human Services Agency, which oversees the DSS, the lawmakers were critical of the department"s decision to "only issue a media advisory about the "unauthorized access." " The media advisory "is not the most effective way to communicate with the workers and affected elderly and disabled clients," the letter stated.
Instead, the legislators wrote, "we believe it is imperative and well worth the cost to individually inform every affected party so each client and worker can personally check and see if they have been a victim of identify theft."
Under a California privacy law that went into effect last year, businesses and public agencies are required to inform individuals when their names -- in combination with either their Social Security numbers, driver"s license numbers or credit/debit card numbers with personal identification numbers -- have been accessed by an unauthorized person.
Last week, the state announced the apparent security breach and warned affected state residents of the incident through a media advisory. The personal data was being used with the department"s consent by a researcher working at the University of California, Berkeley, in August when it was apparently infiltrated by hackers. The DSS is working with the U.S. Federal Bureau of Investigation to investigate the case.
The incident involved a computer that contained personal information on about 1.4 million recipients and providers participating in DSS"s In-Home Supportive Services (IHSS) program, which provides home care services to low-income elderly and disabled Californians. Names, addresses, telephone and Social Security numbers, and the birth dates of IHSS participants may have been stolen, according to the DSS.
"We respectfully request that you require the Department of Social Services to individually notify In-Home Supportive Services recipients and providers that the privacy of their personal information may have been compromised due to the breach of security suffered at UC-Berkeley," the letter stated.
Hans Hemann, chief of staff for assembly member Loni Hancock, said the DSS response of sending out a media advisory was "underwhelming."
"We believe that the efforts of the department have not reached a sufficient number of the IHSS clients so far," Hemann said. The media advisory was sent to about 500 newspapers, television and radio stations, he said, and the DSS set up a 30-line toll-free call center to answer questions about the incident. "They received less than 100 phone calls" out of 1.4 million potential victims, he said.
It is not yet known if any personal information from the incident has been compromised, he said. "I"m not sure the clients were aware that their information was potentially used, therefore we haven"t had any reports," Hemann said.
A spokesman for the DSS couldn"t be reached for comment at deadline.
Janet Gilmore, a spokeswoman for the University of California, Berkeley, said the incident is under investigation and had no further comment.
In a statement posted last week on its Web site, the university said "even one breach of its network is unacceptable. The campus works hard to avoid such incidents and regrets that this one occurred."
"The investigation has not yet determined whether any personal data was acquired," the statement said. "To date, the state Department of Social Services has not received any information indicating that identity theft or any misuse of the data has occurred."
The database was being used by a visiting scholar at the school"s Institute of Industrial Relations, the university said. "As part of her research project, she was trying to determine how wage and benefit increases can improve the recruitment and retention of quality home-care workers. Campus networking officials say they are investigating how and why the breach happened."
The letter from the legislators also took the department to task for the length of time it took to disclose the potential information theft.
"It has been over two and a half months since the security breach occurred and one and a half months since the University of California detected the problem," the letter stated. "We suggest that the agency develop a stronger policy that both prevents the unauthorized access to personal information and requires departments to respond quickly if security breaches occur."
Similar security incidents have occurred in California in the past. Last month, a hard drive that contained names, addresses and Social Security numbers for some 23,000 students, faculty members and employees at seven California state university campuses, was apparently thrown away accidentally after the drive was replaced by a technician.