A disaster preparedness exercise to ensure California's child support system could be run remotely went smoothly, except for one casualty: the names, Social Security numbers and other private records of about 800,000 adults and children.
Four computer storage devices for the California Department of Child Support Services went missing somewhere between Boulder, Colo., and Sacramento earlier this month while they were in the possession of IBM and Iron Mountain, Inc, the department announced Thursday.
The backup storage cartridges also contained addresses, driver's license numbers, names of health insurance providers and employers for custodial and non-custodial parents, and their children.
The cartridges had been sent to IBM's facility in Boulder as part of a disaster simulation, so the technology company could test whether it could run the state's child support system remotely, said Christine Lally, a spokeswoman for the state's Office of Technology Services.
After testing was completed successfully, the data cartridges were to be sent back to California. Typically, secure transportation for sensitive materials are provided to the state through Iron Mountain but the company doesn't fly, so FedEx transported the cartridges.
"We believe that the container was not properly secured, thus allowing the container to open and then spill out," Lally said.
IBM did not immediately respond to a call seeking comment.
The department has notified all those possibly affected by the March 12 data loss via mail, and has notified the three major credit reporting agencies, the state attorney general's office and the state Office of Privacy Protection.
The child support department is recommending that those affected by the breach place a fraud alert on their credit cards, get copies of their credit reports and take other appropriate steps to protect their identities.
The agency's interim director, Kathleen Hrepich, says the incident won't affect the processing of child support cases.
There's a chance the information from the California Department of Child Support Services won't be accessible because a specialized machine is needed to run the cartridges the data is stored on, and special hardware and software are needed to read it, said Lally.
"(A data cartridge) is definitely not something that you or I could just pop into our laptop," Lally said.
Thursday's announcement isn't the first time massive amounts of personal information entrusted to IBM has been lost.
Last March, IBM informed insurer Health Net that the company could not find drives containing information for 1.9 million enrollees. The lost information included financial information, Social Security numbers and health histories.
The state's contract with IBM for the disaster services contract began August 1, 2008, and expires July 31, 2012.
"Obviously, the California state agency picked IBM because it trusted its expertise in securing highly sensitive personal data," said Beth Givens, director of the Privacy Rights Clearinghouse.
"Unfortunately, we can't assume that our sensitive personal information is safeguarded to the extent that it should be," Givens said.
The San Diego-based organization tracks data breaches and estimates at least 550 million personal records have been breached since it began tracking them in 2005.