The chairman and ranking member of the House Oversight and Government Reform Committee want to know why it took HHS tow months to notify Congress.
A fairly run-of-the-mill break-in at an office building in Olympia, Washington, is drawing attention from lawmakers who are concerned about a serious breach of personal information.
It all stems from stolen computer equipment used by Health and Human Services Department employees at a branch office there that potentially contained personally identifiable information of millions of people.
In a letter to the secretary of HHS, the chairman and ranking member of the House Oversight and Government Reform Committee say they want a briefing from agency officials on how many individuals’ personal information was stored on the hard drives and whether the stolen devices were used to access HHS databases.
The letter is signed by Reps. Jason Chaffetz, R-Utah, and Elijah Cummings, D-Md.
The burglary occurred in early February. However, HHS officials didn’t notify Congress of the potential breach until March 25.
Chaffetz and Cummings said they want an explanation from HHS on why it took so long to clue in Congress, especially since a 2014 update to federal information security legislation mandates speedy notification.
The Federal Information Security Modernization Act requires agencies to alert Congress of a “major” breach of sensitive or personal information within seven days.
“It is unclear why the department waited nearly two months to provide Congress with notification under FISMA,” the lawmakers wrote. When HHS staff finally did brief the committee, they stated “that HHS was working to determine what information was stored on the personal equipment” even though local news reports indicated state investigators were already concerned about the potential loss of personal information, the lawmakers wrote.
In addition, the letter states that HHS officials told the committee at least one of the laptops stolen was an employee’s personal device that was used to store personal information.
“Your staff acknowledged that the use of personal equipment is a clear violation of HHS privacy and security policy,” Chaffetz and Cummings wrote in the letter.
Police suspect a local man, Nicholas W. Perring, of stealing the equipment -- which included a laptop, two hard drives and other items -- from the Olympia offices of the Administration for Children and Families and the Office of Child Support Enforcement, according to a March 28 report in The Olympian. Both agencies are HHS subdivisions.
The police say the man and his girlfriend, who used to work in the office, both tried to pawn some of the stolen material.
Each hard drive contained between 2 million and 5 million individual profiles, which contain names, dates of birth and Social Security numbers, among other information, according to court documents cited by The Olympian.
The hard drives have not been recovered.
NEXT STORY: How Last Year's OPM Hack Could Affect the Census