News Stay informed about the latest enterprise technology news and product updates.

More IDs compromised: 450,000 in the Bay State

Another day, another batch of identities exposed.

This time, the bad news comes from Massachusetts, where the state’s Division of Professional Licensure (DPL) mailed off 28 computer disks with names and addresses of state licensees to 23 people who requested the public records last month.

It turns out that those disks also contained the Social Security numbers of 450,000 people. Given that this happened in Massachusetts, I have to wonder if any of the people affected were also victims of the massive TJX data breach that exposed some 45 million people to identity fraud. TJX is based in Framingham, Mass.

Anyway, here’s the statement from the DPL:

“DPL regrets to inform you that the social security numbers of a number of DPL and DHPL licensees were inadvertently included on computer disks mailed to individuals seeking publicly available information about DPL and DHPL licensees. The professions licensed by DPL and DHPL that are affected by this notice are listed below, followed by a list of those unaffected. Even as to the affected professions, please be aware that the disks containing your social security numbers have been recovered, except for Nursing Home Administrators and Accountants. The intended recipients of these two disks for these two boards have agreed to return them. Moreover, there is no indication that any social security number has been stolen or used by anyone.

The following professions are AFFECTED:

– Aestheticians
– Advanced Practice Nurses
– Allied Health Professions
– Athletic Trainers
– Audiologist Assistants
– Audiologists
– Certified Public Accountants
– Cosmetologists
– Engineers
– Hairdressers
– Land Surveyors
– Licensed Practical Nurses
– Manicurists
– Nursing Home Administrators
– Occupational Therapist Assistants
  – Occupational Therapist
– Pharmacists
– Pharmacy Technicians
– Physical Therapist Assistants
– Physical Therapy Facilities
– Physical Therapists
– Physician Assistants
– Public Accountants
– Podiatrists
– Psychologist
– Real Estate Brokers & Salespersons
– Registered Nurses
– Speech Pathologist Assistants
– Speech Pathologists
– Veterinarians

The following professions are NOT AFFECTED:

– Architects
– Barbers
– Chiropractors
– Dental Hygienists
– Dentists
– Dietitians
– Dispensing Opticians
– Drinking Water Operators
– Educational Psychologists
– Electricians
– Electrologists
– Embalmers
– Funeral Services Directors
– Gasfitters
– Health Officers
– Hearing Instrument Specialists
  – Home Inspectors
– Landscape Architects
– Mental Health Counselors
– Marriage & Family Therapists
– Massage Therapists
– Nutritionists
– Optometrists
– Perfusionists
– Plumbers
– Radio and TV Technicians
– Real Estate Appraisers
– Rehabilitation Therapists
– Respiratory Therapists
– Sanitarians
– Social Workers
– Systems Contractors

Nature of the Incident

Beginning on or about September 13, 2007, and continuing until September 17, 2007, and in response to public records requests for publicly available information such as the name and address of DPL licensees, DPL mailed computer disks that not only contained publicly available information but also inadvertently included social security numbers. DPL mailed a total of 28 such computer disks to 23 individuals. It appears that the 28 disks at issue erroneously included social security numbers as a result of a programming error and the upgrading of computer hardware and software. DHPL has an agreement with DPL under which DPL performs its information technology activities with respect to the Division of Health Professional Boards. Therefore, DPL was responding to public requests on behalf of DHPL.

Steps Taken to Recover Disks

26 of the 28 disks have been recovered. On September 18, 2007, DPL began immediate steps to recover the disks. All of the disks sent to individuals in Massachusetts and New Hampshire were recovered within a few days. The disks sent to individuals in other states were also recovered promptly, except for two disks. These two disks contain the social security numbers of individuals licensed by the Board of Registration of Nursing Home Administrators and the Board of Public Accountancy. An extensive search has been made for these two disks and DPL will continue to make every effort to recover these two disks. The intended recipients of these two disks have agreed to return them. Everyone who returned the disks stated that he or she did not retain any information from these disks. DPL has twenty signed certifications from individuals returning disks, indicating that they did not copy or download any information from the disks, or if they downloaded the information, it has since been deleted. DPL is continuing to seek such certifications from the other recipients of the disks. None of the individuals who received the disks has indicated that they were even aware the disks contained Social Security information.”

UPDATE: It appears they’ve recovered all but one of the disks. The remaining missing disk contains information, including Social Security numbers, about nursing home administrators. Spokeswoman Kofi Jones of the state’s Executive Office for Housing and Economic Development was quoted by The Associated Press as saying the disk was sent to California but has not yet reached its intended target.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How can the DPL prove that none of the information was compromised? Since their security procedures are so poor, how many incidents have gone unreported? Saying they're sorry doesn't cut it either. How about some Credit Protection free of charge. Walk the walk, don't talk the talk.
May i suggest we all combine our efforts to put an end of business as usual for the state. A class Action suit, and make anyone in connection liable, and offer all of us a large settelment, since we will need the money after the 90 days is up, and all the 26 discs that are still on the hardrives, just waiting to be sold to all the idenity experts. Trust me, the State Of MA and the DPL has screwed us.
I was one of the 450,000 whose SS #'s were released. What I want to know is, if the disks were released "on or about September 12" why did I only get a letter notifying me of this on NOVEMBER 1 !!!!!!!!!!!!!
I was just notified by Verizon that I was not eligible for their VIOS services because my social security number, although under another name (which they will not provide me with so I can report it to the police!), is linked to delinquent utility accounts since Nov 2007. I have never used any name but my own, I have not had delinquent accounts, the accounts are in a state other than the one I live in, I do not have my SSN on my hard drive, I shred everything that comes in the mail with my name on it, but... I am a registered nurse in the state of MA and they compromised me in Oct! What can we do about this?