AP reports:
A state audit has found that Gov. Pat Quinn’s administration left behind tractors, a forklift, computers, and confidential patient and employee records when it closed three Department of Human Services facilities.
The report by Auditor General William Holland — released Thursday — says officials failed to follow proper inventory and shut-down procedures when it closed centers in Jacksonville, Rockford and Tinley Park in 2012.
A digest of the report noted numerous current problems, involving the Central Office as well as closed facilities:
- During walkthroughs at the Department’s Central Office, auditors found unlocked shred bins in open areas that were clearly marked as shred. We also found confidential information that was disposed of in a recycle bin.
At three closed facilities, auditors noted the following exceptions:
- At Tinley Park Mental Health Center, which closed June 30, 2012, auditors conducted a walkthrough 13 months following closure and found the Department had left boxes of patient records near the side entrance of a building. In addition, files were noted in four buildings that contained employee personnel records, recipient files, forms containing names and contact information for volunteers, clinical record files, files containing medical tests, pharmaceutical records, patient incident records, patient surgical and psychiatric records, and files containing information on Hurricane Katrina refugees.
- At H. Douglas Singer Mental Health Center, which closed October 31, 2012, auditors conducted a walkthrough 9 months following closure and found complete employee records, recipient court records and other court records, and Patient Daily Census and Movement reports with recipient names. In addition, auditors noted filing cabinets full of investigations, reports, and attorney correspondence related to the Department’s Office of the Inspector General.
- At the Jacksonville Developmental Center, which closed on November 27, 2012, auditors found confidential information in trash receptacles, filing cabinets, binders, boxes, and on desks. We found resident names, health information, and social security numbers, a labeled medical specimen, photos of residents labeled with residents’ names and incident number, security reports which included resident names; filing cabinets with folder separators labeled with resident names; two computer monitors and three computer towers; large stack of binders which contained the last name and first initial of residents on the spine of the binders; and manila filing folders with patient names written on the tabs.
The auditors report:
We noted the confidential information at the above facilities may have been exposed to outside individuals, including employees of the Department of Central Management Services and vandals. With regard to Tinley Park Mental Health Center, additional exposure occurred as a result of training conducted at the Center by members of the U.S. Navy SEALs and area police officers.
Additionally, documents containing confidential information were found in trash or recycle bins while performing visits at certain other Department facilities. Documentation included information such as patient names, social security numbers, guardian names, addresses, telephone numbers, appointments, assessments, specimen logs, and test orders. (Finding 9, pages 41-43) This finding was first reported in 2005.
We recommended the Department ensure confidential information is adequately protected and review existing policies regarding the security and control of confidential information to ensure Department-wide procedures exist for ensuring confidential and personal information is adequately secured in both electronic and hardcopy format. We further recommended the Department effectively communicate and enforce its procedures for safeguarding, retention, and subsequent disposal of all confidential information to all Department personnel, including facilities.
Department officials accepted the recommendation and stated they are developing a new Administrative Directive to ensure confidential information is adequately protected and personal information is adequately secured in both electronic and hardcopy format. The Department also stated they will communicate and enforce its procedures for safeguarding, retention, and subsequent disposal of all confidential information to all Department personnel, including facilities.
But wait, there’s more:
The Department did not adequately protect confidential sensitive information. From July to October, Department staff sent numerous unprotected emails to OAG staff that contained information such as: protected health information, names and social security numbers and bank account information. In each case, OAG staff informed the sender of the infraction, asked the sender to refrain from sending such information in an email, and provided information on the availability of State’s encryption resources.
You can access the full report here (pdf, 284 pp.).
Thanks to @PrivacyRightsIL for making me aware of the AP report.