The Department of Social and Health Services’ Economic Services Administration confirmed today that the private information of at least 2,600 and possibly up to 7,000 households receiving its services may have been compromised when a coding error caused ESA letters to be mailed to clients’ previous addresses.
The letters were mailed from Aug. 19, 2013 until the error was discovered and corrected on Oct. 26, 2013. The Department is concerned that some letters contained protected health information and could have been read by current residents living at the clients’ previous addresses.
“Even a single mistake that could wrongly disclose personal information is one too many,” said David Stillman, assistant secretary for ESA. “We will respond to this by improving our production oversight processes.”
ESA has 1.5 million clients and sends approximately 9.2 million pieces of mail each year.
All letters were sent in envelopes marked “Return Service Requested,” requiring the Postal Service to return them to ESA if the person named no longer lived at that address. It is unknown precisely how many letters were returned.
Meanwhile, ESA continues to analyze the situation to determine if more letters containing private information were sent to a wrong address.
ESA has determined that the majority of the letters mailed contained the client’s name, address and identification number. However, some letters may have included home phone numbers, contact information, date of birth, Social Security number, medical diagnosis or disability, other medical, chemical dependency or treatment information, employment or earnings information, and what public assistance services the client was receiving.
All affected clients are being notified.
The breach was discovered Oct. 22 following an uptick of address corrections made by customer support personnel. The increase prompted IT staff to investigate the cause, uncovering a database coding error.
The Economic Services Administration has reviewed the related quality assurance protocols and will be instituting oversight of production to ensure that correct data will be used.
ESA has no way of knowing if the information in the letters has been accessed or used for identity theft. Clients can get more information on actions to protect themselves through the websites of the Washington State Office of the Attorney General at: www.atg.wa.gov/ConsumerIssues/ID-Privacy.aspx and for the Federal Trade Commission at: www.ftc.gov/bcp/edu/microsites/idtheft//.
ESA will notify clients if it receives information that their credit or identity may be at risk.
Clients also can contact the Economic Services Administration’s Community Services Division Customer Service Contact Center at esaprivacy. Letters requesting information can be sent to Post Office Box 45857 Olympia, WA 98504-5857. Additional public information regarding this incident will be posted on the Department’s website at www.dshs.wa.gov/mediareleases/index.shtml.