Working for Uncle Sam can be hazardous to your health, not to mention your private information.
Consider these headlines from Thursday morning papers:
The Washington Post: “Employees fault NIH on smallpox notification.”
The New York Times: “Chinese Hackers Pursue Key Data on U.S. Workers.”
While other sectors also have risks, the nature of federal employment means staffers on Sam’s payroll face a variety of dangers, often unseen and unheard until too late.
Compounding the situation is the sometimes slow response by management to keep workers informed. Potential exposure to smallpox is serious enough without officials lagging in their notice to employees.
The Post’s Lena H. Sun reports that officials failed to promptly notify 18,000 employees at the National Institutes of Health’s Bethesda campus about old vials of smallpox virus that were found there.
A small number of employees working in an adjacent room were told about the smallpox find within a day after the vials were discovered. It took about seven hours after news reports were published a week after the incident for Food and Drug Administration Commissioner Margaret A. Hamburg to inform staffers agency-wide. That led to some employee grumbling.
“By now you may be aware of news reports about vials of smallpox,” her e-mail began. Employees would rather get such information from management first.
Sun’s story also mentioned the anthrax bacteria that was accidentally released at a Centers for Disease Control and Prevention facility in Atlanta in June. CDC Director Tom Frieden apologized later that month for a delay in providing information to employees.
But that’s nothing compared with news about an infection that spread through the NIH clinical center in 2011. Information about that was not publicly available until a year later.
Office of Personnel Management officials certainly did better than that, yet it took them about four months to inform OPM employees of the attempted breach of an agency database in March. OPM employees received information Thursday, after the story broke the night before, about the computer break-in. An OPM spokesman said the notification did not go out in March because there was no indication that personal information had been breached.
Though the OPM holds records on employees from across the government, staffers in other agencies have not been officially notified about the “potential intrusion of our network,” as the statement to OPM employees described it.
By declining requests for interviews with agency officials, the OPM missed an opportunity to provide more information, and perhaps reassurance to feds generally. Instead, the agency gave reporters the basic government-issue boilerplate for situations like this.
“We continue to exercise the utmost vigilance in monitoring for potential threats and protecting our information and systems,” the OPM said.
It was encouraging that “at this time,” according to statements to the media and OPM employees, that “neither OPM nor US-CERT [the Computer Emergency Readiness Team] have identified any loss of personally identifiable information.”
People at other agencies also would have appreciated being kept informed. My colleague Josh Hicks talked to 15 feds and none said they were notified about the attempted OPM hacking.
“We haven’t heard officially,” said Suzanne Pilsk, a Smithsonian Institution librarian. She learned about it from The Post.
Though she is concerned about the release of personal information such as Social Security numbers, Pilsk believes the government is doing what it can against cybersecurity threats. “I know there’s a lot of infrastructure in place to protect data,” she said. “I know it’s a concern, but I feel like they’re trying their best.”
But it’s a tough fight and a quickly growing problem.
In April, Gregory C. Wilshusen, director of information security issues at the Government Accountability Office, said the number of security incidents reported by federal agencies involving personally identifiable information more than doubled, to more than 25,000 cases, from fiscal year 2009 through 2013.
Some examples from the GAO report:
●Hackers stole a variety of information — including Social Security numbers, birth dates, bank account numbers and security questions and answers — for more than 104,000 people from the Energy Department in June 2013.
●Social Security numbers were among the targets of “a sophisticated cyber attack” in May 2012 on the federal employee Thrift Savings Plan. The information of 123,000 savers was compromised.
●In February 2009, the Federal Aviation Administration said personal information for more than 45,000 employees and retirees had been electronically stolen.
All of those cases don’t begin to measure up to the theft of computers with the personal information of 26.5 million veterans and active-duty military members from the home of a Department of Veterans Affairs employee in 2006, according to the GAO.
In its typically understated way, the GAO summed up its findings: “Agencies continue to face challenges in effectively securing their information.”
Until they overcome those challenges, which in today’s digital world might be impossible,the personal information of federal employees and others remains at risk.
Alice Crites and Josh Hicks contributed to this column.
Previous columns by Joe Davidson are available at wapo.st/