Earlier this month, this blog covered a breach involving the Town of Essex in Massachusetts. At the time, I found the statement by the selectmen a bit curious and had asked, “Do the selectmen suspect that someone associated with the program or commission removed the records? I wonder what kind of “legal action” they have set in motion, and why.” The town has apparently removed the original notice from their site, but a copy is still archived on Boston.com:
NOTICE OF POTENTIAL DATA SECURITY BREACH
LEGAL NOTICE TOWN OF ESSEX NOTICE OF POTENTIAL DATA SECURITY BREACH YOUTH COMMISSION RECORDS The Town of Essex has recently discovered that some records of the Essex Youth Commission are presently unaccounted for. Based on the Towns ongoing investigation such documents and computer files are believed to include, but not be limited-to, records relating to the Essex Youth Commission Summer Program and may contain protected health information or other personally identifiable information for individuals who participated in the Summer Program, including parents of participants and staff. To date, the Town has not received any reports that any individuals personal or medical information has been used improperly. Nonetheless, the Town wanted to promptly notify all potentially affected residents of the possible breach so that they can take any steps they feel appropriate under the circumstances. Please be assured that the Town is fully committed to investigating this matter and is taking all appropriate steps to further its commitment to the privacy of its residents. To this end, the Town, immediately launched an investigation when it learned that the files were unaccounted for and it set in motion a plan for retrieval of the records. The Town also notified the Massachusetts Attorney General, the Director of Consumer Affairs and Business Regulation and the Secretary for the United States Department of Health and Human Services. In addition, the Town is currently reviewing all of its document privacy and security policies to further protect individuals private information. A copy of the Massachusetts Attorney Generals Guide on Identity Theft for Victims and Consumers may be obtained at the office of the Town Clerk, the Police Station, or by following the link on the Towns website at www.essexma.org. In addition, if you have questions, you may contact the Town at the following toll-free phone number: (888) 532-2322 The Towns response to this matter continues and will not end until all reasonable efforts have been exhausted.
HHS’s website now includes their breach notification. According to HHS’s summary log, the incident was reported as having occurred on or about August 13 and affected 500 individuals. For type of incident, the town reportedly indicated “Theft, Loss, Improper Disposal, Unauthorized Access, Hacking/IT Incident.” HHS’s summary also indicates that the town indicated that the breach involved a “desktop computer, network server, and paper records.”
What on earth went on there?