In early February, a thief broke into several offices in Olympia, Washington to steal anything he could grab that was worth selling. In one locked drawer, the thief found a couple of external hard drives that he added to his haul of cash, cameras, electronics and laptops.
The hard drives belonged to the local office of the Administration for Children and Families, part of the Department of Health and Human Services, and contained between two and five million records related to child-support audits.
As of Thursday morning, the City of Olympia police department did not know what happened to the drives, even though two people have been arrested in connection with the theft.
"We did recover some of the stolen items, but have not yet been able to recover the hard drives," said Laura Wohl, public information officer for the department.
Now federal officials and elected representatives are looking into the case.
"Your staff acknowledged that the use of personal equipment is a clear violation of HHS privacy and security policy," wrote Utah Republican Jason Chaffetz and Maryland Democrat Elijah Cummings in a letter on Tuesday. Chaffetz is the chairman and Cummings the ranking member of the U.S. House of Representatives' Committee on Oversight and Government Reform.
"It demonstrates clear, overarching problems in handling of children's' sensitive information," said Andrew Komarov, Chief Intelligence Officer at Scottsdale, Arizona-based security firm InfoArmor, Inc.
The time it took to report a breach was also a concern for the elected officials.
"It is unclear why the department waited nearly two months to provide Congress with notification," the representatives added, since notification is required within seven days under the Federal Information Security Modernization Act.
The two representatives asked the department to brief the committee no later than Monday about the full extent of the data loss.
The previous day, Republican Senator Ron Johnson of Wisconsin, chair of the Committee on Homeland Security and Governmental Affairs, also sent a letter asking for this information, as well as whether information from other offices at HHS was compromised during the theft.
There was no information yet as to whether the drives were encrypted.
"Sensitive data should always be encrypted when stored on disks and elsewhere at rest," said Giovanni Vigna, co-founder and CTO at Redwood City, Calif.-based security firm Lastline, Inc.
"This is something that is easily achievable with encrypted file systems, which are now widely available in any and every operating system.”
Vigna added that government employees need to get training in protecting data, and copying data for personal convenience should be a career-limiting move.