Public Disclosure of Confidential Information

Since the disclosure of confidential information
has been a recent topic in Middleboro, a review of
the incidents and actions taken by the Commonwealth
in response provide some insight.

The following information appears on the web site of the
Division of Professional Licensure, Commonwealth of Massachusetts,
and may be of interest to some regarding the distribution
of confidential information and recommended steps to address the
disclosure:

Letter From the Director

--------------------------------------------------------------------------------
By the Division of Professional Licensure
--------------------------------------------------------------------------------


Important Notice to Division of Professional Licensure (DPL) and Division of Health Professions Licensure (DHPL) Licensees
DPL regrets to inform you that the social security numbers of a number of DPL and DHPL licensees were inadvertently included on computer disks mailed to individuals seeking publicly available information about DPL and DHPL licensees. The professions licensed by DPL and DHPL that are affected by this notice are listed below, followed by a list of those unaffected. Even as to the affected professions, please be aware that the disks containing your social security numbers have been recovered, except for Nursing Home Administrators. The intended recipient of the disk for that board has agreed to return the disk. Moreover, there is no indication that any social security number has been stolen or used by anyone.

The following professions are AFFECTED:

- Aestheticians
- Advanced Practice Nurses
- Allied Health Professions
- Athletic Trainers
- Audiologist Assistants
- Audiologists
- Cosmetologists
- Engineers
- Hairdressers
- Land Surveyors
- Licensed Practical Nurses
- Manicurists
- Nursing Home Administrators
- Occupational Therapist Assistants - Occupational Therapist
- Pharmacists
- Pharmacy Technicians
- Physical Therapist Assistants
- Physical Therapy Facilities
- Physical Therapists
- Physician Assistants
- Podiatrists
- Psychologist
- Real Estate Brokers & Salespersons
- Registered Nurses
- Speech Pathologist Assistants
- Speech Pathologists
- Veterinarians

Nature of the Incident
Beginning on or about September 13, 2007, and continuing until September 17, 2007, and in response to public records requests for publicly available information such as the name and address of DPL licensees, DPL mailed computer disks that not only contained publicly available information but also inadvertently included social security numbers. DPL mailed a total of 28 such computer disks to 23 individuals. It appears that the 28 disks at issue erroneously included social security numbers as a result of a programming error and the upgrading of computer hardware and software. DHPL has an agreement with DPL under which DPL performs its information technology activities with respect to the Division of Health Professional Boards. Therefore, DPL was responding to public requests on behalf of DHPL.


Steps Taken to Recover Disks
27 of the 28 disks have been recovered. On September 18, 2007, DPL began immediate steps to recover the disks. All of the disks sent to individuals in Massachusetts and New Hampshire were recovered within a few days. The disks sent to individuals in other states also have been promptly recovered, except for one disk. This disk contains the social security numbers of individuals licensed by the Board of Registration of Nursing Home Administrators. An extensive search has been made for the disk and DPL will continue to make every effort to recover this disk. The intended recipient of the disk has agreed to return it. Everyone who returned the disks stated that he or she did not retain any information from these disks. DPL has twenty signed certifications from individuals returning disks, indicating that they did not copy or download any information from the disks, or if they downloaded the information, it has since been deleted. DPL is continuing to seek such certifications from the other recipients of the disks. None of the individuals who received the disks has indicated that they were even aware the disks contained social security information.

Steps You Should Take to Protect Your Identity in These Circumstances
Place a fraud alert on your credit. You can do so by calling one of the major credit reporting agencies at the following numbers:

Equifax 800-525-6285,
Experian 888-397-3742,
TransUnion 800-680-7289.

Placing an alert on your credit is free and stays in effect for ninety days.
Monitor your financial accounts for unusual activity
Keep a list of all your credit and bank accounts in a secure place with phone numbers of customer service so you can quickly contact them if you notice suspicious account activity.
Order credit reports periodically and check for any unauthorized activity.
M.G.L. c.93H, §3
Under M. G. L. c. 93H, §3, a new law that will go into effect October 31, 2007, DPL will be required in these circumstances to provide you with information regarding your right to obtain a police report regarding this incident, how you can request a security freeze from consumer reporting agencies, and the fees associated therewith. However, this information is not yet available. As soon as it is available, it will be posted on DPL’s website at www.mass.gov/dpl.

Obtaining Further Information
A written list of likely questions and answers that you may have is set out below this notice. You may also seek additional information by e-mailing DPL at reg.director@state.ma.us. Telephone inquiries can be directed to (617) 973-8100, between 8 and 5, Monday through Friday. DPL will make every effort to assist you.

DPL apologizes for any inconvenience this matter may cause you and will make every effort to assist you in addressing any concerns you may have.

Sincerely,


George K. Weber

http://www.mass.gov/?pageID=ocaterminal&L=6&L0=Home&L1=Government&L2=Our+Agencies+and+Divisions&L3=Division+of+Professional+Licensure&L4=Information+and+Services&L5=Data+Security+Alert+-+Important+Information&sid=Eoca&b=terminalcontent&f=dpl_data_security_info_letter&csid=Eoca