Names, medical and biographical information from hundreds of children who fell victim to physical and sexual abuse were left unsecured on a file sharing platform in Montgomery County, Maryland, according to an inspector general’s report.
Following a tip it received last week, Montgomery County’s Office of the Inspector General said it found “sensitive and Personally Identifiable Information” on an “information sharing platform” used by the county.
More than a dozen unauthorized Montgomery County employees had accessed the data when the discovery was made, according to the OIG, adding that the information has since been removed from the SharePoint file sharing platform.
The victims were all evaluated by the Tree House Child Advocacy Center, a Rockville-based nonprofit that works with the county, approximately 529 in all, according to the OIG.
It is the second time this year the OIG said it found Montgomery County failed to protect sensitive data on its computer systems.
In February, the OIG notified the county’s chief administrative officer of “a serious privacy risk” tied to the use of a collaboration application.
The OIG said it found “nonpublic documents connected to county leadership and county departments on an information sharing platform.”
In May, the OIG reported that it discovered an “unsecured document” containing the Social Security number, bank account number, address and other personal data of a Medicare benefits applicant.
The OIG said it received information about the most recent security lapse from a concerned Montgomery County employee on Sept. 23.
The worker said “they were able to access records pertaining to Tree House through the SharePoint platform.”
An even larger number of files from other departments were also found to be unsecured, according to the OIG.
In response, the OIG issued five recommendations to Montgomery County, such as urging it to “discontinue the use of file sharing platforms until data security vulnerabilities are addressed.”
But the county called that suggestion impractical.
“Discontinuing the use of file sharing and collaboration across the county would drastically impact business operations, especially during a time of significant remote teleworking,” said Richard Madaleno, Montgomery County’s chief administrative officer, in a Sept. 29 letter to Inspector General Megan Davey Limarzi.
Another recommendation was for the county to instruct employees and the Department of Technology Services to “delete documents containing PII and other sensitive information from document sharing platforms.”
The county said it was “unable to concur with this recommendation” as well. The rejection of those two recommendations led the OIG to state the county “does not seem to fully grasp the severity of our findings or the impact of the data exposure incidents to victims.”
The conclusion goes on to state that the actions Montgomery County is willing to take don’t “address the reality that documents … are currently available to persons who have no legitimate need for them.”
WTOP has reached out to Tree House Child Advocacy Center for comment.