SACRAMENTO — Sensitive personal information for more than 700,000 people who provide or receive home care for the elderly and disabled may have been compromised when payroll data went missing in the mail, state officials revealed Friday night.
The breach occurred whenHewlett-Packard, which handles the payroll data for workers in California's In-Home Supportive Services program, was shipping information including Social Security numbers to an office in Riverside last month. The package arrived damaged and incomplete.
"While we continue to investigate, at this time we can't confirm whether the information was damaged, lost or stolen," said an internal government email obtained by The Times.
Advocates and union officials expressed alarm not only at the breach, but also at the procedure for transporting sensitive personal data — a package of microfiche sent via theU.S. Postal Service.
"It's hard for us to believe that in one of the largest states in the union, we're using such an antiquated system," said Steve Mehlman, a spokesman for a labor union representing 65,000 home care workers. "It clearly needs to be modified."
Michael Cox, a spokesman for Service Employees International Union, which represents 300,000 home care workers, said the fact that such "primitive security measures are still in place is inexplicable."
The state has opened an internal investigation and notified law enforcement, said Oscar Ramirez, a spokesman for the California Department of Social Services. Notices will be sent to everyone who may be affected, and officials are reviewing policies to prevent future problems.
"We're going to look at this and get to the bottom of it," Ramirez said.
The package was mailed April 26 and arrived at the Riverside office May 1. There was a weeklong delay before the state was notified of the breach Wednesday, according to information posted on a state website.
Ramirez said workers were doing their "due diligence" and "when they felt comfortable that the information was incomplete, they reached out to us."
The possibly compromised information, dating from October to December 2011, for 375,000 workers included names, Social Security numbers and wages. For 326,000 recipients, state identification numbers may be at risk.
Deborah Doctor, a lobbyist at Disability Rights California, called the breach "unbelievable" and "very worrying."
Doctor said many of the low-income clients in the program will have difficulty dealing with the fallout from the data breach. English is often not their first language, and some recipients have poor eyesight, leaving them unable to read notices from the government about the missing data.
About 40% of all workers and recipients in the program are in Los Angeles County, Doctor said.