Va. Beach human services workers fired for privacy breaches

VIRGINIA BEACH

At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients, according to investigation reports from the Virginia Beach Auditor's office.

The violations include a boss who forced her employees to gather information from a state database about her husband's child and a worker who checked on the status of a dead client's Medicaid benefits to help the client's family, the reports said.

The breaches have raised concerns among Beach officials and sparked a comprehensive audit of the agency's information security measures. The review is scheduled to begin within the month and could take up to four months to complete, said Lyndon Remias, the city auditor.

"We need to look at the magnitude of the problem," Remias said.

Most of the cases stemmed from the agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families.

None of the reported violations involved identity theft, said Robert Morin, the city's human services director.

Usually, it was employees searching the state database for information about somebody they knew, Morin said.

The department has offered more training, and with the spate of firings, employees realize that abusing the information and violating confidentiality has repercussions, Morin said.

"We have zero tolerance for it," he said.

As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help, Beach officials said.

Through the state's Systems Partnering in a Demographic Repository (SPIDeR), a Web-based program, social services workers can view up to 13 state and federal databases, including Department of Motor Vehicles, child support and social security benefits records.

In one of the more serious violations, a supervisor got her employees to look up information about her husband's daughter from a previous marriage. The supervisor then called the state's child support division, pretended to be the mother and asked for access to payment information. The investigation began in 2008, but wasn't closed until late last year, according to the city's reports.

The supervisor was fired and two employees were suspended for two weeks, according to the results of a city fraud, waste and abuse investigation.

In another case, which was closed last October, a supervisor and employee accessed Sentara Virginia Beach General Hospital's information to look up the medical records of a former city worker. Both the boss and employee were fired.

And in December, an employee inadvertently sent a client information on 893 cases. The client signed a form stating that she deleted the e-mail and the city contacted the people whose information had been breached, Beach officials said.

No information was available about what action the city took against the employee, whose case is still pending.

Most of the violations were caught because employees complained to the city's fraud hotline. The city was able to identify the breaches because the system tracks each search.

The city does a bi-annual audit and spot audits, but finding violations can be difficult. Virginia Beach averages about 230,000 hits a month on the SPIDeR system, Beach officials said.

"We do really rely on folks talking to us and clients who want to talk to us," Morin said.

State social services officials said confidential information breaches are not a problem statewide. Last year, Virginia Beach was the only city to notify the state about a violation, said Marianne McGhee, a spokeswoman for the Virginia Department of Social Services.

Deirdre Fernandes, (757) 222-5121, deirdre.fernandes@pilotonline.com