For second time this year, inspector general finds county systems share sensitive documents
Montgomery County’s inspector general on Friday released a scathing report finding that a county platform made available to any employee or contractor hundreds of confidential documents about children who might have experienced sexual or physical abuse.
The records were of children who received help from the Tree House Advocacy Center, a Rockville nonprofit that contracts with the county to provide “medical evaluations, forensic interviews, ongoing mental health therapy, victim support” and other services.
A county platform, called SharePoint, exposed the names, biographical data, medical information, clinician notes and details of the children’s abuse, according to Inspector General Megan Davey Limarzi’s report.
This is the second time in 2020 Limarzi has found a county system was sharing confidential documents on an information sharing platform, according to the report.
“Any actions the County may have initiated in response to my office’s repeated concerns have not adequately addressed the vulnerabilities existing with the County’s use of information sharing platforms,” Limarzi wrote in a memo to Chief Administrative Officer Rich Madaleno on Sept. 24. “This latest example is by far the most serious exposure.”
On Sept. 23, Limarzi received a complaint from a “concerned County employee” after they were able to access records about Tree House through SharePoint.
The employee said that they found the confidential documents while searching for documents “to which they had legitimate access.”
Limarzi replicated the steps the employee followed and found 240 documents and files, including those about Tree House clients. Other files included tax information and Social Security numbers of applicants for the Public Health Emergency Grant Program and information about several county departments.
Among the files, Limarzi found a spreadsheet containing details about the abuse of approximately 529 Tree House clients.
The information was still available on the SharePoint platform as of Sept. 24, according to Limarzi’s report.
On Sept. 29, Madaleno wrote back to Limarzi saying 16 unauthorized people viewed the files before access was restricted Sept. 25.
In response to Limarzi’s request that the county discontinue the use of all file-sharing platforms until data security problems are addressed, Madaleno wrote, “Unfortunately, we are unable to concur with this recommendation.”
He wrote that not using file sharing would “drastically impact business operations,” especially while most employees are teleworking.
He said the county is addressing the problem and that “vast swaths of information stored in County information systems … are not sensitive.”
“Requiring departments that do not handle sensitive information to suddenly stop use of file sharing platforms, which likely took months to create and implement … would freeze unnecessarily ongoing business operations County-wide that do not involve any sensitive information,” Madaleno continued.
Limarzi argued that the response “does not seem to fully grasp the severity of our findings or the impact of data exposure incidents to victims.”
“The County’s assertion that ‘vast swaths’ of information stored on file sharing systems are not sensitive,” Limarzi wrote, “misses the point that even a single exposure incident can pose serious consequences to those involved.”
In February, the Office of the Inspector General notified prior Chief Administrative Officer Andrew Kleine that a Microsoft Office 365 application, Delve, used by the county was storing and sharing “non-public documents connected to County leadership and County departments.”
County employees at the time assured Limarzi they were rectifying the problem, but, in May, she again found an “unsecured document” through the same application that contained a person’s Social Security number, Medicare number, bank checking account and other personal information.
Caitlynn Peetz can be reached at email@example.com