The Prince George’s County school system is investigating how the personal information of thousands of its employees ended up in a report that was forwarded to personal e-mail addresses outside the system this month.
Max Pugh, a schools spokesman, said the district has begun an investigation into how more than 10,000 employees’ names, Social Security numbers, birth dates and employee identification numbers were compromised.
Deputy Superintendent Monique W. Davis sent an e-mail to nearly half of the school district’s 23,785-person workforce last week alerting the employees that their personal data was “potentially exposed” to others when the school district sent an e-mail that inadvertently included the private information.
The school system apologized and said it was working to ensure that it does not happen again.
“We have initiated an internal investigation to determine why the report included the information,” Pugh said. He said there was a delay in notification — of about a week — because the school system had to determine the scale of the leak before reaching out to employees.
The system’s Human Resources Division contacted the teachers and principals unions’ leadership on Nov. 17 to tell them about the Nov. 14 leak, and an e-mail to employees who were affected was sent on Nov. 21.
The leak has angered employees, who have questioned the length of time it took to notify them that they might be at risk of identity theft. They also said it is unclear to them how many people received their personal information or what might happen to it.
Darla Heinz, a teacher at Northwestern High School in Hyattsville, said she is concerned about long-range ramifications, including someone holding onto the information for years and potentially creating havoc at a later date.
“It’s all very troubling,” Heinz said.
The president of the teachers union, Kenneth Haines, who has been a victim of identity theft, said in a letter to his members that mistakes happen.
“Unfortunately, to err is an irrevocable part of the human condition,” he wrote. “Shock and anger are the natural first reactions to such events, but it is now time to ensure that as little damage as possible arises from this breach.”
The Prince George’s County Public Schools’ Human Resources Division posted “Frequently Asked Questions” regarding the incident on its Web page Monday, but it was quickly removed.
According to the posting, Human Resources generated a “routine” report on Nov. 14 that inadvertently included the personal data. After school system officials realized that the sensitive information was in the report, the district suspended the e-mail accounts of all recipients in order to delete the file.
“As part of this process, PGCPS discovered that some recipients forwarded the report outside of the PGCPS e-mail domain,” the posting said.
In Davis’s e-mail notifying employees, she said the original e-mail was sent to a “select group of principals.”
A spokeswoman for the system said that the outside addresses to which the material was sent were the personal addresses of school staff members. Recipients have been contacted, said the spokeswoman, Lynn McCawley.
Human Resources said that the district’s internal auditors were conducting the investigation and that the school system has taken “appropriate action” against those responsible for gathering, sending and accessing the data.
Pugh would not comment on what action had been taken, describing it as a personnel matter.
The school system has offered a free year of credit monitoring to those whose information was in the e-mail.