Dan Walker reports:
A flash drive containing the personal information of thousands of City of Milwaukee workers was stolen along with the car of an employee of a health care firm that contracts with the city.
The employee worked for Dynacare Laboratories, a contractor used by Froedtert Health Workforce Health in connection with the city’s wellness program.
The flash drive contained personal information, including names, addresses, dates of birth, Social Security numbers and gender. Mayor Tom Barrett said Friday night that approximately 6,000 city employees were affected. In addition, the names of approximately 3,000 spouses and domestic partners of those workers also were on the flash drive, but their Social Security numbers were not included.
No financial information, medical records or test results were included in the database.
Read more on the Journal Sentinel. The story does not specifically say the data weren’t encrypted, but it would seem that they weren’t. If that’s the case:
(1) Why weren’t the data encrypted? Did this violate the city’s policy, Froedtert’s, or Dynacare’s policies or contracts?
(2) Why were the data on a flash drive? Did Froedtert’s contract with Dynacare permit personally identifiable information to be copied onto portable devices that leave the premises?
(3) Why, if the drive was stolen on October 22, did it take so long for Dynacare to notify the city?
I imagine there will be a serious investigation into this as well as some finger-pointing. Where does the buck stop on this one? With Froedtert because Dynacare was their contractor? Use the Comments section below to discuss.