Nassau notifies 209 workers their confidential personal data may have been breached
The Nassau County Department of Assessment in Mineola is shown on Jan 12, 2017. Credit: Newsday/John Paraskevas
Nassau officials have notified more than 200 current and former employees in the Assessment Department their confidential personal data may have been breached after some co-workers last year gained unauthorized access to human resources information about department workers.
In a letter Thursday to Nassau County Executive Bruce Blakeman and county legislators, Technology Commissioner Nancy Stanton said seven Assessment Department employees had obtained "personnel records," containing "Social Security numbers, medical notes, and other personal identifying information."
Stanton said, "none of the employees were authorized to view or access the data. Not all of the data accessed was confidential or personally identifiable in nature, but some was and, therefore a data breach occurred pursuant to state and local law … "
Stanton and county officials did not identify the employees who allegedly participated the data breach, or say what they did with the data or if any employees were disciplined.
The seven individuals still work for the Assessment Department, Chris Boyle, a Blakeman spokesman, told Newsday Friday.
The county has sent letters to 209 current and former employees notifying them their data may have been breached, Boyle said.
The breach occurred after the county had migrated its data server system to a new platform, Stanton said.
The upgrade eliminated a protection for human resource files, and inadvertently allowed all assessment employees to view human resource files of department employees, Stanton wrote.
On Friday, Nassau Legis. Joshua Lafazan (D-Woodbury) called on the county legislature’s government services and operations committee to investigate the matter, and compel testimony from county commissioners.
"Why would the Department of Assessment have medical records, as opposed to say human resources?" Lafazan said at a news conference in Mineola.
"How did this system upgrade result in an internal breach, and what steps have been taken to confirm this was the only breach caused by the upgrade, and we are not vulnerable to an outside cyberattack?" asked Lafazan, who is seeking the Democratic nomination for the 3rd Congressional District seat.
Mary Studdert, a spokeswoman for majority legislative Republicans, said the government services committee would schedule a hearing on the issue.
Stanton said the Information Technology Department began investigating the suspected breach on Dec. 29, three days before Blakeman, a Republican, took office after his victory over then-County Executive Laura Curran, a Democrat.
Under the Nassau County administrative code, the legislature and county executive must be notified of data breaches within 72 hours of their discovery.
Stanton said her department waited seven weeks to notify Blakeman and the legislature in order, "to determine the nature and extend of the breach."
The Blakeman administration did not make Stanton available for an interview.
"While this breach occurred prior to County Executive Blakeman taking office, this administration is already implementing best practices to secure public records and boost cyber defenses," Boyle said in a statement.
Scott Eidler covers Nassau County government and politics for Newsday. Scott has worked at Newsday since 2012 and previously covered municipal government and education.
Feral cat found with rabies . . . Piano Man's last show . . . Travel to Block Island . . . Olympics opening ceremony
Feral cat found with rabies . . . Piano Man's last show . . . Travel to Block Island . . . Olympics opening ceremony
