Taxpayers' Social Security numbers, confidential child abuse reports and personnel reviews of New Jersey workers nearly went to the highest bidder after the state sent surplus computers out for auction.
Nearly 80 percent of discarded computers in a comptroller's office sample had not been scrubbed of data before being shipped to a warehouse, according to an audit released Wednesday.
"At a time when identity theft is all too common, the state must take better precautions so it doesn't end up auctioning off taxpayers' Social Security numbers and health records," Comptroller Matthew Boxer said.
The state's computer redistribution program allows discarded computers to be claimed by another agency within 30 days, or sold or donated. State agencies are supposed to remove data from hard drives before junking computers.
The audit of desktop and laptop computers spanned 17 months, July 2008 through December 2010, and the administrations of Govs. Jon Corzine and Chris Christie. Auditors found information on 46 of the 58 hard drives it tested in the state's surplus property warehouse and personal data on a third.
The computers were shrink-wrapped and ready to be auctioned.
The data included Social Security numbers of taxpayers and employees; child abuse case files, including a child fatality report; a list of state employees' computer passwords; and a judge's tax returns. A memo from the judge on a lawyer's "personal emotional problems" was found on his discarded laptop; personal contact information on most members of Corzine's Cabinet was found on other surplus machines.
Perhaps the most potentially damaging find was 230 files related to state investigative case screenings and child abuse reports, many of which contained the names and addresses of the children involved.
The files also included child immunization records and a child health evaluation. Another computer contained a list of vendor payments referencing names, addresses and phone numbers of children removed from their homes because of abuse or neglect, and information about their cases.
"The availability of such confidential personal information and sensitive business information to third parties through the disposal of state-owned computer equipment presents security risks to the affected individuals and state agencies," the audit states. "Further, the release of such information to unauthorized parties would violate various federal and state statutes."
Department of Children and Families spokeswoman Lauren Kidd said the child welfare agency has revised its computer disposal and sanitation policy to ensure hard drives are destroyed before computers leave the department. One employee was disciplined, she said.
Glenn Grant, acting administrative director of the courts, said the judiciary had taken steps to improve security after the judge's laptop was recycled without data being erased. He said the department turns in 2,300 computers a year.
The Treasury Department, which oversees the redistribution program, suspended computer auctions while the audit was still going on to prevent the future release of personal, confidential data from computers bound for auction. Additional steps are under way or under consideration, according to the report.
The audit found data from four state agencies, including one that had been cited in 2009 for discarding data-containing computers. The agencies were not named in the audit.
The audit did not check any computers that had been turned in by one agency, then claimed by another. The comptroller's office also had no way to test computers that had previously been sold at auction.
Four of the scrapped computers at the warehouse, packaged to be sold as scrap, were still under warranty, the audit found.