Pennsylvania's Department of Public Welfare (DPW) plans to mail out letters to about 375,000 individuals in the state informing them of a data breach involving their personal data.
The notification effort follows the theft of two computers from DPW office buildings.
The bulk of information on the stolen computers was protected with multiple passwords and did not identify individuals by name, according to a statement by the DPW. Instead, it contained "coded information" about the treatment of consumers in the states' behavioural health system. "However, the information for approximately 1,819 consumers did include names and Social Security numbers" the agency said.
"DPW has begun mailing notification letters to the approximately 375,000 individuals in the behavioural health system that could potentially be affected in order to explain what has happened and to assist them with any steps they will need to take," said the department. The DPW did not explain why it is notifying all 375,000 individuals, given that no names or other identifying information about most of them was stored on the stolen computers.
Officials could not be reached for comment on the incident, which is just the latest of numerous breaches in the US in recent months. Over the past two weeks alone, for instance, there have been at least three incidents involving the potential compromise of personally identifiable data because of system thefts.
Connecticut's Department of Revenue Services in late August disclosed that a laptop containing personally identifiable information on about 106,000 state taxpayers had been potentially exposed because of a laptop theft. That same week, AT&T confirmed that a laptop containing personal information on an unspecified number of current and former employees of AT&T was stolen from the vehicle of a consultant working for the company.
The other incident involved a similarly unprotected laptop at Maryland's Department of the Environment. As with the AT&T compromise, no details were released about how many people might have been affected by that theft, which involved a computer containing personally identifiable information on individuals who had been issued licenses by four separate state agencies.
In all of these cases, the data on the stolen systems was password protected, but not encrypted.