Controller: Confidential DHS records at risk for unauthorized access
Confidential Department of Human Services records are at risk for unauthorized access, according to a report released by City Controller Alan Butkovitz.
Confidential records kept in the Philadelphia Department of Human Services' Family and Child Tracking Systems are at risk for consultants and employees to gain unauthorized access, according to a review released Tuesday by City Controller Alan Butkovitz.
Butkovitz found the list of those with access to the tracking software, which keeps information on troubled youth prepared by social workers, courts and health care professionals, included employees who are separate from the city.
One such employee hasn't worked for the city since 1997, according to Butkovitz.
"Unauthorized access increases the risk that confidential data could be compromised and abused," Butkovitz said in a statement.
He further found DHS management didn't perform security background checks for workers employed with the agency's software contractors, who were involved in the development and maintenance of the tracking system.
According to Butkovitz, the contractors had the ability to add, delete and modify confidential data.
"Providing contractors with open access to highly confidential records on children and their families may result in misuse by irresponsible individuals," Butkovitz said in a statement.
"Background investigations should be addressed as part of the contracting process and should be completed by DHS prior to the start of the work to ensure that only appropriate people have access."
Butkovitz said in the review DHS had neither a security officer nor a security policy for the software system, allowing for "systematic threats for unauthorized software modifications to occur and the risk of lost or compromised data."
He also noted computer equipment assigned to DHS staff lacked the necessary capacity to efficiently store data and retrieve lost information, and that maintenance contracts weren't adequately monitored and were allowed to expire, resulting in equipment not being serviced.