The personal information of at least 14 Indiana welfare clients was shared with others because of a contractor's computer programming error, Indiana officials said Monday. The security breach potentially affects more than 187,000 people.
The Indiana Family and Social Services Administration said some of the personal information possibly shared with others included the Social Security numbers of as many as 3,926 clients.
"We do not believe this was a widespread disclosure of information," FSSA spokesman Jim Gavin said in an email message. "To this day, we have been made aware of 14 instances where information was received by the wrong person."
A programming error by FSSA contractor RCR Technology Corp. resulted in an undetermined number of documents being sent to the wrong clients. In addition to the Social Security numbers, FSSA said, information disclosed possibly included monthly benefit amounts; financial information, such as monthly income and expenses, bank balances and other assets; and medical conditions.
"We are ultimately responsible for the safekeeping of that information and regret that in this rare instance some information may have been accidently shared inappropriately," FSSA Secretary Debra Minott said in a statement.
The error occurred April 6 and affected correspondence sent to clients from that date until May 21, FSSA said. The error was discovered May 10 and corrected May 21, the agency said.
Indiana Democratic Party Chairman John Zody issued a statement saying he hoped FSSA and the office of Gov. Mike Pence "take the necessary steps to ensure nothing of this sort happens again."
"We do wonder why it took more than six weeks for FSSA to notify the public of this security breach, and we hope the agency will conduct itself in a transparent, open manner as the investigation into this matter moves forward," Zody said.
In response, Gavin said that once the cases began "trickling in," the contractor — which has an FSSA contract to manage documents in welfare cases — first had to confirm a problem existed, then discover the error and find a solution. FSSA also was required by law to work with the Indiana Attorney General's office in resolving the situation.
FSSA has sent written notices to people who might have been affected, informing them that some of their personal information might have been disclosed and precautions they can take to protect themselves against identity theft. It also said clients receiving another client's personal information should return it immediately to local welfare office or to shred the information.
Indianapolis-based RCR is taking steps to improve its computer programming and testing processes to prevent similar errors from occurring in the future, FSSA said. RCR President Robert Reed issued an apology.