Security lapses in several departments of Los Angeles County government put residents’ medical information, Social Security numbers and other sensitive information at risk of being stolen, three recent audits have found.
Probation, Public Health and Public Social Services, which dispenses welfare benefits, failed to deactivate computer login codes for hundreds of former employees who had left their jobs for one reason or another, the audits found.
In some cases, staff members simply lost track of computers or failed to report equipment that had gone missing. And in all three departments, auditors found some computers that were not protected by encryption software required by county policy.
The reports did not cite any incidents of private information actually being stolen or misused.
A Probation Department audit released earlier this month found that staff members failed to cut off the access that 695 former employees had to systems that track cases and juvenile detainees’ medical information. Some of those accounts and passcodes remained active for as long as seven years. And 33 of them had been used after the employees’ departures, although auditors could not determine who actually logged in or what they did with the access.
Probation officials said in a response that they had deactivated most of the old accounts and were in the process of shutting down the rest.
The audit also found that the department had simply lost track of some computers; at the time of the audit, 18 machines could not be found. Probation officials were later able to track down 10 of them — some had been donated or salvaged and others stolen — but acknowledged that they did not know what had happened to the other eight.
A separate audit of the Department of Public Health completed in April found that 13 former employees continued to have access to health records systems and 21 others still had working key cards for the agency offices for up to five years after they left. It also found that surplus equipment was stored in a warehouse receiving area open to the public and that staff often failed to report missing or stolen computers.
A December audit of the social services department found that managers had failed to cut off access to information systems for 442 workers who had left the department or transferred to other assignments. It also found that 25% of the computers reviewed had outdated antivirus software and that inventories of equipment were inaccurate.
Officials with the three departments said they were working to correct the problems, including setting up programs that allow them to monitor computers’ encryption status on an ongoing basis.
Prompted by the audits, Supervisor Mark Ridley-Thomas is proposing that a review of the information security procedures for every county department be conducted on an annual basis.
“We have to remain ever vigilant, particularly when dealing with technology issues,” he said.
The supervisors are set to discuss the issue Tuesday.
In February 2014, a break-in at a health contractor’s office led to the theft of unencrypted computers containing personal data on more than 342,000 patients under county care. The theft remains unsolved. Some of the patients whose data were breached joined in an ongoing class action lawsuit against the contractor, Sutherland Healthcare Solutions, and the county.
Clifford Neuman, director of USC’s Center for Computer Systems Security, said the issues identified in the audits are “standard problems that occur in many organizations, but they go counter to the most basic of policies that are in place to protect information assets.”
“Though common, the problems are serious,” he said.
Stan Stahl, president of Citadel Information Group and the Los Angeles chapter of the Information Systems Security Assn., agreed.
“Any security challenge has to be taken seriously,” he said. “The county has got to get it right every time, but the cybercriminals only have to get it right once.”