Wednesday, March 23, 2016

TOP STORY >> Data breach is tracked to ex-employee

By JOHN HOFHEIMER
Leader senior staff writer

A former Pulaski County Special School District certified health insurance representative emailed herself personal data for virtually all employees who worked for the district between January 2012, when she started, and Feb. 26, 2016, when she left, according to communications director Deborah Roush.

A Pulaski County Sheriff’s Office complaint identified Erica Holmes as the employee in question. She was out of town and couldn’t be interviewed over the weekend, sheriff’s office spokesman Capt. Carl Minden said Tuesday.

According to the report, Holmes was not fired, but she was disgruntled with her former boss.

Because the employee left in February, her emails were routinely forwarded to her supervisor, according to Roush, who noticed that information that needed to go to the benefits department was copied and sent to her personal email.

Holmes’ email was then forwarded to PCSSD’s chief technology officer, Will Reid.

Reid discovered she had sent to her personal email information dating back to 2012 that included names and Social Security numbers. Some files had birthdays, signatures and other information.

Roush said the information had been “out there” since 2012, but there had been no complaints of misuse.

Reid told the investigator on Friday that he had found 192 emails that Holmes sent to her personal Yahoo email account, the report states.

The district is not done going through the 1,258 emails on the account, Roush said.

The district notified all employees by email Friday, the day the breach was discovered, Roush said.

“The purpose of this notification is to let you know about this data breach and to suggest steps that you may take to protect your information,” the notification states.

“At this time, we do not have confirmation that the information has been shared with anyone aside from this employee, although we will be able to update you as the police continue their investigation.”

The sheriff’s office and the district said it’s too early to know if this act was criminal, but it’s against policy at the district and, since the information was from health insurance records, it could be a violation of HIPPA.

In his report, Detective Ryan Geary said he was told Holmes was trained about proper procedure for handling and communicating personnel information.

“This was not a situation where Homes did not know this was a violation,” he said in the report.

There were also disability papers and spreadsheets with the employees’ names, Social Security numbers and what they were paying for their health insurance.

The district also contacted employees by telephone and placed a display ad in the Arkansas section of the statewide daily paper.

The notice from the district recommends employees or former employees closely monitor their financial accounts and contact their financial institutions if they notice unauthorized activity.

The district’s notification also suggested submitting a complaint to the Federal Trade Commission and credit reporting agencies Equifax, Experian and TransUnion to obtain free credit reports if employees find any misuse.

A help desk number was set up to answer employee questions, Roush said, but would not be active until school is back in session after spring break.

In total, Reid stated he found 192 emails that Holmes sent to her personal Yahoo email account.

By Tuesday, Reid had discovered 1,258 emails Holmes had forwarded or copied herself, some including spreadsheets.

“I advised both Roush and Reid we would need to determine whether Holmes was emailing this information to her personal account for malicious reasons, or was it a situation where she was trying to document that the information was sent to the recipient when requested,” Geary wrote in his report.