City of Milw. changing policies after Dynacare security breach

MILWAUKEE (WITI) -- The city of Milwaukee says it is looking to change the type of employee information it gives out to contractors.  This, after a Dynacare employee's vehicle was stolen, and inside that vehicle was a flash drive containing personal information for thousands of city employees and their spouses -- including social security numbers.

On Thursday, November 21st, we learned after consultation with members of the Common Council and the Mayor, the Office of the City Attorney has decided to file a formal complaint with the federal Office of Civil Rights against Dynacare Laboratories for its admitted breach of HIPAA security requirements regarding the private information of more than 9,000 City of Milwaukee employees, their spouses and their domestic partners.

A statement from the city of Milwaukee issued Thursday read as follows:

“The action will be taken on behalf of the city and its employees based on Dynacare’s recent filing of a notice of breach of unsecured protected health information, its apparent unwillingness to communicate or cooperate with city representatives or to release details of its investigation, its failure to provide information to the city in order to protect our employees and the misleading comments Dynacare provided to the media.

It is important to note that the city’s contract for its wellness program is with Froedtert Community Health/Workforce Health. That is the entity to which the city provided employee information in a secured and password-protected manner, not Dynacare. The city continues to investigate the matter, and at this time has not ruled out further litigation.”

A Dynacare spokesman released the following statement to FOX6 News: “Per our obligations under HIPPA, we have already reported this incident to the OCR.”

“The action the city is taking is certainly right and needed. Our main goal is not just to sue somebody. Our main goal is to protect the rights of our citizens,” Alderman Michael Murphy said Thursday.

The incident happened back on October 22nd, when an employee of Dynacare Laboratories — a healthcare company that contracts with the city to handle the “wellness” program left a flash drive in a car. The car was stolen, along with the flash drive.

“I don’t think there’s a person in this community who thinks it’s excusable that this information was on a flash drive, in an unsecured manner in a car. It just flies in the face of all logic. It’s a very serious matter. We feel there has been a very serious breach of security,” Mayor Barrett has said.

Milwaukee police are investigating, and so far, the car has been recovered, but not the flash drive.

Dynacare officials have sent a letter to those affected saying: “We have no reason to believe that the flash drive was taken for the information it contained.”

Also, that they have set up “a dedicated call center for patients,” and that they “deeply regret any inconvenience,” and that the company will be “conducting a comprehensive internal review.”

The flash drive contained names, addresses, dates of birth, social security numbers and the genders of the employees who participate in the wellness program — which constitutes 90% of city employees, including the mayor.

“This is something we are very angry about that should never have happened,” Mayor Barrett said.

“Hopefully, that zip drive is somewhere at the bottom of the Milwaukee River,” AFSCME Local Director Boyd McCamish said.

McCamish says more than 2,000 union members had their information compromised in this incident. He says the most important thing is protecting those people.

“The finger pointing for political purposes doesn’t help anybody but those who are pointing the fingers.  We think that’s the last things people should be worried about right now,” McCamish said.

The incident also affects a group of patients who received testing from Dynacare Laboratories between August and October of 2013.

Why the sensitive information was put onto an unsecured flash drive in the first place is being debated.

Dynacare says it was necessary to comply with the city’s wellness program, saying it needed information on hand in facilities where there were cellular connectivity issues.

Meanwhile, the city says it has changed its policy and social security numbers will no longer be provided to contractors in the future. Some new ideas being considered are using employee ID numbers instead of social security numbers.