Medical records. Social Security Numbers. Employee performance evaluations.
Those were just some of the confidential records found on old computers that several agencies in Washington state were sending to surplus, violating policies for properly wiping computer hard drives, according to a new report from the Auditor’s Office.
“With the right knowledge of data retrieval, the confidential information we found could be obtained in a few minutes,” the report noted. “Had these computers been sold, the presence of confidential information on their hard drives posed a risk of harm to private individuals and the state.”
The report estimates that roughly nine percent of all computers, or 109 devices, that were set to be sent to surplus or destroyed contained confidential information. In one instance, a computer had its operating system still installed, while in another a machine contained dozens of inappropriate photos.
“We saw some types of confidential data recur more frequently during our tests, including employee performance evaluations and personnel information, user names and passwords, and network access instructions,” the report said.
In some instances, computers were sent to surplus before technicians were able to remove confidential data, while in others staffers improperly surmised that if a computer did not turn on that the hard drive was no longer containing sensitive material, when in fact it was.
The Auditor’s Office analyzed computers at 13 agencies, and found that these four — Department of Ecology; Department of Health; Department of Labor & Industries; Department of Social and Health Services — and did not follow proper protocols for wiping the machines.
The state sent about 20,000 old computers over the past two years, with some of the computers distributed to non-profits, school districts and other organizations. Others are sold to the public at a surplus store in Tumwater or over the Internet.
State laws require that all machines be properly wiped of confidential information prior to sale or distribution, and that appears to be where the breakdown occurred.
Officials with the state have reacted promptly to the report, titled “Safe Data Disposal – Protecting Confidential Information.” Each of the departments have instituted new standards to make sure old computers are not sent to surplus with confidential data.
“The state is committed to protecting confidential data and eliminating or preventing security vulnerabilities. While the state acted quickly to resolve this issue, the SAO audit reflects the need to continually review each agency’s data removal processes. This audit is an excellent example of government working together to discover, scope and resolve a problem,” wrote David Schumacher, director of financial management, and Michael Cockrill, chief information officer, in a letter to the Auditor’s Office dated April 8th.
You can read the full report here.
Photo via Shutterstock.