TACOMA — The new interim leader for the Tacoma-Pierce County Health Department started her role with news about a 5-year-old data breach the department says it learned about just last month.
TPCHD’s Cindan Gizzi announced the news immediately after being appointed the department’s interim director during Wednesday’s Tacoma-Pierce County’s Board of Health meeting.
TPCHD provided further details to The News Tribune after the meeting in response to questions.
According to TPCHD, the Department of Justice notified the health department on June 1 that an unauthorized person had accessed its Washington State Food Worker Card online training (Do it Right! Serve it Safe!) database around Nov. 18, 2018.
The database involves participants in many counties, not just Pierce County. “People from counties across Washington use our Food Worker Card training and their information was included in the database,” TPCHD said late Thursday.
The department learned the breach “included names, ZIP codes, birth dates, and email addresses listed for about 2.1 million records, of which 1.5 million were unique records,” Gizzi told the board.
The breach occurred within the department’s previous software and hosting platform.
Gizzi said that the information “was uploaded to the dark web, and sensitive information within it was available to download for about 45 days before it was then pulled off.”
She said, “Our IT staff immediately confirmed the data security weakness is no longer present. In February of 2019, we moved the food worker card database to a different host with stronger security. We performed several security assessments and have found no problems with the current system.”
She added that the data had been moved to the new host without any knowledge of the November 2018 breach.
“Before we even knew about it, in early 2019, we switched platforms to one that had much greater security and where this kind of breach would not happen,” Gizzi told the board.
A public notification was not immediately triggered based on the state’s notifications requirements from 2018. Under those requirements, “personal information” was defined as someone’s first name or first initial and last name in combination with a limited set of state or federally issued ID numbers or account number or credit or debit card number, in combination with any required security code or password that could enable account access.
According to a TPCHD statement to The News Tribune, “Last week we learned an additional 9,500 records contained driver’s license numbers that were collected before Sept. 4, 2012. Because those records contained names and driver’s license numbers, we are required to notify those applicants.”
Ultimately, the department said, it “decided to notify all users involved, including people who didn’t share their driver’s license numbers, out of courtesy.”
Gizzi told the board Wednesday that the department was “in the process of complying with statutory notice requirements, including notice to the state Attorney General’s Office.”
Total financial impact on the department regarding the notifications is still to be determined.
Kenny Via, media representative for TPCHD, told The News Tribune via email Thursday, “We are still estimating the cost based on requirements. We expect it to be between $1,000 and $5,000.”
Cyber security analyst Robert Siciliano is CEO of ProtectNowLLC.com.
He told The News Tribune via email in response to questions, “Every state has their own rules and regulations regarding what is considered personal identifying information required to be disclosed as a data breach.”
A broader list of notification requirements went into effect in Washington state as of March 1, 2020.
Siciliano noted that even with any assurances of tightened security measures, people who could be at risk “should consider that their data is leaked, in the hands of criminals, and can be exploited on a moment’s notice.”
“The fact is, if their data wasn’t leaked through the agency, it’s likely been leaked through other government agencies or private corporations,” he added.
Moving forward, the advice remains the same after any data breach and exposure of personal information if you feel you are at risk, Siciliano said.
“Your job going forward is to make it ‘useless’ by setting up credit freezes, credit monitoring and simply overall paying close attention to your accounts,” he said.
The health department late Thursday afternoon issued a news release on the breach. The department stated that “We do not believe this breach poses a high risk for identity theft. However, if you’re affected, we encourage you to protect your information and review your credit reports at: Equifax—(800) 685-1111; Experian—(888) 397-3742; TransUnion—(888) 909-8872.”
The department said individuals with further questions can contact via email at foodworkercard@tpchd.org or call (253) 649-1414.