Security Breaches of Personal Information at Federal Agencies More than Doubles Since 2009
7:05 AM, Apr 3, 2014 • By JERYL BIER
Millions of individuals who recently entrusted personal, medical, and financial information to the federal government while enrolling in Obamacare via Healthcare.gov may find a recent trend reported by the Government Accountability Office (GAO) rather unsettling. The number of security breaches involving Personally Identifiable Information (PII) at federal agencies more than doubled in recent years, increasing from 10,481 in 2009 to 25,566 in 2013. Perhaps even more disturbing, the GOA found that "none of the seven agencies [in a related study] consistently documented lessons learned from PII breaches."
A graph accompanying the GAO report illustrates the dramatic and consistent upward trend in PII-related breaches over the last several years:
A data breach may consist of something as simple as mailing documents containing PII to the wrong recipient, but also includes incidents involving massive loss of sensitive data as illustrated by these examples in the report:
While the increasing number of incidents is concerning, the GAO also found that "agencies have had mixed results in addressing" information security "and most agencies had weaknesses in implementing specific security controls." An earlier GAO report in December 2013 covered the responses to PII data breaches of seven federal agencies, including the IRS; the Centers for Medicare and Medicaid Services (CMS), the agency charged with implementing and running Obamacare; and the Veterans Administration (VA). That report found agency responses broadly inconsistent. For example:
The GAO report also gives a preview of an upcoming report specifically on cybersecurity at federal agencies, and preliminary results are not encouraging. The GAO has found effective and consistent response to cyber incidents in only about 35% of cases:
The full GAO report on cybersecurity will be completed and issued later this spring.
Recent Blog Posts