Skip to contents

Spreadsheet snafu exposes private data of 30,000 Colorado state employees

State officials say files have been deleted and there’s no evidence of misuse, but those affected are being told to take precautions

The Colorado State Capitol Building on Jan 19, 2019. (Eric Lubbers, The Colorado Sun)
  • Credibility:

The personal data of the state’s 30,000 employees was inadvertently exposed earlier this month when a master spreadsheet was shared with benefits administrators at Colorado higher education institutions.

After learning of the information breach on Oct. 7, the Colorado Department of Personnel and Administration immediately asked the 38 benefits administrators to delete the email and spreadsheet, which contained social security numbers, birth dates and other sensitive information of state employees eligible for short-term disability and do not all work at their schools.

There was no evidence “information was misused or compromised in any fashion,” according to a letter sent to the affected state employees by Kara Veitch, executive director of the Colorado Department of Personnel and Administration. 

As is required by law, an organization that exposes private personal information must notify the victims and share ways to protect their private information. The letter provided numbers and links to the three credit reporting agencies that consumers can use to track potential identity theft activity.

Doug Platt, a spokesman for the Department of Personnel and Administration, said the administrators who received the spreadsheet are used to handling sensitive data and regularly receive similar information from the state. 

The department has also taken steps to ensure a similar breach doesn’t happen again, but Platt did not have more information on the process. 

“We believe it to be a very low risk release of information because it went to benefit administrators only within state government institutions and departments,” Platt said. “They’re accustomed to handling this information, and we addressed the release immediately.”

Sign up here to get The Unaffiliated, our twice-weekly newsletter on Colorado politics and policy.

Each edition is filled with exclusive news, analysis and other behind-the-scenes information you won’t find anywhere else. Subscribe today to see what all the buzz is about.

The incident doesn’t seem too concerning, said James E. Lee, Chief Operating Officer at the Identity Theft Resource Center, which tracks data breaches nationwide and has seen a decline in breaches so far in 2020.

“It’s not common, but it does happen,” Lee said in an email. “It used to be more frequent in the early days of data breach sensitivity. There is a relatively low risk in this specific case since the information was not sent to people outside the state government.”

We believe vital information needs to be seen by the people impacted, whether it’s a public health crisis, investigative reporting or keeping lawmakers accountable. This reporting depends on support from readers like you.