Dept. of Health security errors were self-inflicted flubs
Adonated file cabinet that contained personal information on nearly 100 New Mexicans.
A spreadsheet that was released to a third party, even though it contained certain details on every death in New Mexico in 2020 and 2021.
Those recent accidental releases of private data by the state Department of Health prompted the agency to take “immediate action” and enact “robust safeguards” when it comes to protecting personal information, a spokeswoman said.
The incidents, one discovered in March and the other last month, happened in ways both high-tech and extremely low-tech.
Last week, the department announced that a bottom drawer in one of 30 cabinets it donated to Habitat for Humanity contained 93 client program files, “potentially exposing certain personal information of a specific group of individuals,” according to chief privacy officer Amanda Frazier and a department news release. That information included personal contact, financial and medical details.
A breach occurred in the case of one of the files when the information “went further than Habitat for Humanity,” DOH spokesperson Jodi McGinnis Porter said, but she would not provide details.”
“The investigation regarding the details of how the one breach occurred is inconclusive,” she said. “However, the client is in possession of their file, and Secretary Patrick Allen personally reached (out) to this client and apologized for the breach.”
McGinnis Porter said the department has taken “immediate action” by “implementing robust safeguards such as annual training, document management, access and destruction plans, thorough checklists and enhanced security measures to prevent such incidents from occurring in the future.”
In the spreadsheet incident, details on the deceased people’s cause of death, age, gender, ZIP code and county were among the items included in the disclosure to an out-of-state journalist who made a records request. No names, birth dates or addresses were included.
Frazier would not name the journalist, because she said the publication involved still had the information posted on a website.
The collective information about the deaths is a potential violation of patient privacy laws, she said. An identity thief or bad actor working in a very small ZIP code area, for example, could possibly piece together more targeted information.
News of the inadvertent releases comes amid a soaring number of data breaches nationwide, although the primary cause in those is cyberattacks by outside criminals, according to the Identity Theft Resource Center.
Tracking by the center shows that incidents so far this year are on a “blistering pace” to set a new record, with a whopping 951 publicly reported compromises in the last three months, according to the national watchdog group.
For just the first six months of this year, the number of breaches is higher than the full-year count for nearly every year between 2005 and 2020, the latest report from the Identity Theft Resource Center says.
Contact Ellen Marks at emarks@abqjournal.com if you are aware of what sounds like a scam. To report a scam to law enforcement, contact the New Mexico Consumer Protection Division toll-free at 1-844-2559210, prompt 5. Complaints can be filed electronically at nmag.gov/contact-us/file-a-complaint/