The personal data of the state’s 30,000 employees was inadvertently exposed earlier this month when a master spreadsheet was shared with benefits administrators at Colorado higher education institutions.
After learning of the information breach on Oct. 7, the Colorado Department of Personnel and Administration immediately asked the 38 benefits administrators to delete the email and spreadsheet, which contained social security numbers, birth dates and other sensitive information of state employees eligible for short-term disability and do not all work at their schools.
There was no evidence “information was misused or compromised in any fashion,” according to a letter sent to the affected state employees by Kara Veitch, executive director of the Colorado Department of Personnel and Administration.
As is required by law, an organization that exposes private personal information must notify the victims and share ways to protect their private information. The letter provided numbers and links to the three credit reporting agencies that consumers can use to track potential identity theft activity.
Doug Platt, a spokesman for the Department of Personnel and Administration, said the administrators who received the spreadsheet are used to handling sensitive data and regularly receive similar information from the state.
The department has also taken steps to ensure a similar breach doesn’t happen again, but Platt did not have more information on the process.
“We believe it to be a very low risk release of information because it went to benefit administrators only within state government institutions and departments,” Platt said. “They’re accustomed to handling this information, and we addressed the release immediately.”
Sign up here to get The Unaffiliated, our twice-weekly newsletter on Colorado politics and policy.
Each edition if filled with exclusive news, analysis and other behind-the-scenes information you won’t find anywhere else. Subscribe today to see what all the buzz is about.
The incident doesn’t seem too concerning, said James E. Lee, Chief Operating Officer at the Identity Theft Resource Center, which tracks data breaches nationwide and has seen a decline in breaches so far in 2020.
“It’s not common, but it does happen,” Lee said in an email. “It used to be more frequent in the early days of data breach sensitivity. There is a relatively low risk in this specific case since the information was not sent to people outside the state government.”