Hingham to inform 1,300 employees
of compromised personal data
More than two weeks after a Hingham official inadvertently sent dozens of people a document containing the names and Social Security numbers of everyone who worked for the town last year, town officials said they will notify the 1,300 employees of the breach Wednesday afternoon through e-mail and first class mail.
Officials also said they will comply with state law requiring them to notify the state’s attorney general’s office and the Office of Consumer Affairs and Business Regulation of the breach, but maintain that the risk to employees is “beyond minimal.”
“We’re being overly cautious because it is sensitive information,” said Town Accountant Ted Alexiades.
Officials did not inform employees sooner because he believed they had already minimized any risk to employees, who hail from all over the South Shore, Alexiades said.
Alexiades said he e-mailed the document, a spreadsheet that included full names, earnings type, employee identification numbers, and Social Security numbers – but not birthdays or addresses -- to about 30 department heads at “mid-morning” on July 19 for their review. The information pertained to employees who work for the town in fiscal 2010, which ended June 30.
He said he was following an informal Town Hall procedure that asks department heads to review documents and records for accuracy before filling public records requests. In this instance, the request was made by The Boston Globe, which did not receive the document in question.
Less than 10 minutes after he had sent the e-mail, Alexiades said, he received a phone call from Deputy Fire Chief Robert Olsson, who Alexiades said informed him that employees’ Social Security numbers were also included in the spreadsheet.
“We’re embarrassed,” Alexiades said. “I’m personally embarrassed that it got out.”
Once the error had been brought to his attention, Alexiades said, he recalled the e-mail, which he said automatically deleted half the files before they were ever opened.
Of the 30 or so e-mails, 11 had been automatically forwarded to personal computers or handheld devices through servers such as Comcast or Verizon, officials said, and therefore moved off the protected server the town maintains.
While Verizon or Comcast will not track down and delete the e-mail, Alexiades said the recipients told him they had deleted the e-mails and files from their personal e-mail accounts
and computers, thus making them inaccessible to those who might compromise the third-party servers.
“By midafternoon, we had deleted them all,” Alexiades said.
Some union officials have written to the town demanding more information about the breach and say the town’s response has been too slow.
In one such letter, Michael A. Feinberg, the attorney for Teamsters Local 25, which represents workers in emergency dispatch, the Department of Public Works, and the Sewer Department, is already threatening legal action.
“Teamsters Local 25 and its members intend to hold the Town of Hingham responsible and liable for any monetary or other damages that this breach may have caused its members,” Feinberg wrote to Town Administrator Kevin Paicos in a letter dated July 30.
“Obviously, it’s a serious issue for us,” said Steven South, the business agent for Teamsters Local 25 who said repeated requests for information about the breach have gone unanswered. “Our members are rightfully very upset.”
Alexiades said the town “naturally” takes such threats seriously.
“As an organization, you are potentially liable if you do something that could impact another human being, and our employees could potentially be impacted,” he said. "We don't think they will be."
“When we reviewed the situation initially," Alexiades said, "we felt that because we contained the information and deleted it, that we did not have a reporting requirement.”
The response was also slow because so many officials, including Alexiades, Paicos, and the town’s attorney, James Toomey, were on vacation at various times in the last two weeks, Alexiades said.
The law, in effect since October 2007, mandates that agencies or people that store personal information must inform people “as soon as practicable” if their information was acquired or obtained by a third party. Hingham officials said they did not have reason to believe their employees’ information had been accessed by those who had received it.
Once the town formally notifies the attorney general’s office and the consumer affairs office, the law says, the AG’s office will inform the town if further departments need to be informed.
The AG’s office was not able to say how many similar filings they have received from other cities and towns, but Hingham officials said this is the first time they have had a security breach of this nature.
A spokesman for the Hingham Police said the department is not investigating the breach, but Selectman Bruce Rabuffo said Town Hall will conduct its own audit.
“I’d like to see a full explanation of how this happened...and what else should we be doing,” said Rabuffo, who said he learned of the breach Tuesday.
Waiting for Twitter to feed in the latest...