Security breach in May compromised information on more than 1,800 kids statewide, organization says
YORK — A temporary statewide data security breach allowed sensitive information for more than 1,800 children, including 83 in Adams and York Counties, to be viewable online, according to the County Commissioners Association of Pennsylvania.
The CCAP said today that childrens’ names, addresses, dates of birth, social security numbers and public health information might have been viewable online for a time.
The incident occurred in May, according to the CCAP. It temporarily exposed information in the Children and Youth Services databases run by a third-party vendor, Avanco International.
Ken Kroski, the CCAP director of media and public relations, said in a statement that “This was not a cyberattack, not Phishing, not hacking; it was a temporary exposure of information.”
The CCAP’s full statement appears below:
“In May 2017, a county children and youth worker found the exposure upon executing their normal work responsibilities. Information stored in certain counties’ Child Accounting and Profile System databases was publicly viewable online. It is important to note first that this was not a cyberattack, not Phishing, not hacking; it was a temporary exposure of information. The databases are maintained by a third-party vendor, Avanco International, and information and data stored on county-owned systems was not affected.
“When the situation became known, we immediately engaged legal counsel with expertise in cyber law – who then engaged a digital forensics company – to ensure the information was removed from the internet, conduct an investigation to determine the cause and put measures in place to help ensure an incident like this does not happen again. The information may have included personally identifiable information (name, address, date of birth, Social Security number) and protected health information (family treatment information and other family medical information). Based on the investigation, we have no indication that the information was inappropriately used.
“Due to the serious privacy implications of the situation, communication during the investigation was limited to the county solicitors in each of the affected counties. Notice letters were sent to affected individuals on June 30.
“Counties understand their obligation to ensure sensitive information about the people they serve is kept secure, and take this incident very seriously. They are confident the measures put in place will provide the necessary privacy and security their clients expect in order to ensure our children are given the care and protection they deserve.”