[ISN] Glitch opens access to kids' records

InfoSec News isn at c4i.org
Fri Oct 1 06:09:38 EDT 2004


Times Staff Writer
October 1, 2004

A Miami Herald reporter alerted local child welfare authorities this
week to a software glitch that made available thousands of
confidential child-abuse and foster care records to anyone with
Internet access.

Those files contained detailed information about the 3,966 children
under the watch of Kids Central, the private consortium that handles
foster care and related services for at-risk children in the
Department of Children and Families' District 13, which includes
Citrus, Hernando, Marion, Lake and Sumter counties.

Names of foster children, birth dates, Social Security numbers,
photographs, case histories and even directions to children's foster
homes were accessible with a password that had been published on Kids
Central's Web site, the Herald reported.

DCF officials, who monitor the competitively bid contract with Kids
Central, immediately ordered that the site be shut down after the
reporter informed them of the security breach Wednesday morning.

"We take confidentiality of client files as most critical," said
Janice Johnson, a longtime DCF administrator who became chief
executive officer of Kids Central in Ocala. "We do take this very,
very seriously."

Kids Central took over foster care, adoptions and other services for
at-risk children in District 13 earlier this year as part of a
statewide effort to put child welfare services in the hands of
community-based care providers.

Six local social service providers comprise the consortium: the
Centers (formerly Marion-Citrus Mental Health Center), the Children's
Home Society, Camelot Inc., the Harbor Behavioral Healthcare
Institute, the Life Stream Behavioral Center and Eckerd Youth

Part of the transition last spring included adopting a new computer
system, called CoBRIS, the Community Based Resource Information
System. The system was developed by Edmetrics, a Tallahassee company
that was founded by former DCF Secretary James Bax but has no social
service technology experience, the Herald reported.

In an e-mail response to a Times phone call on Thursday, Edmetrics
defended its product, saying the company's software exceeds industry
standards for maintaining confidentiality. The unauthorized access was
the result of "human error," a company employee said.

"Review of security logs has assured us that this reporter was the
only unauthorized access into the system," Edmetrics spokesman Steven
Stark said. "We will be vigilant to ensure the integrity and security
of the CoBRIS system."

Johnson said Kids Central was one of the first agencies of its kind in
Florida to implement the system. The Web-based CoBRIS allows
caseworkers to tap into the state's child welfare database with a
password from wherever they are.

Apparently, some caseworkers had trouble getting into the database. So
the technology staff added a link where people could post their help
requests and read others made by their colleagues - without using a

That's where the trouble occurred. According to the Herald, some of
the replies to help requests included specific log-in identities and
the corresponding passwords.

The newspaper reporter used that information to enter a world of
records, including caseworker notes and reports from home visits, that
are meant to be kept from the public eye.

When Mary Jane Kuhn learned of the breach on Thursday, the president
of the Foster Parents Association of Hernando County wasn't pleased.  
She doesn't tell anybody where her family lives for fear of what a
foster child's parents might do with the information, she said.

"If they were first-class citizens, obviously we wouldn't have (their
kids)," Kuhn said. "It bothers me a lot that they would have access to
that. I know some foster parents would probably give up their license
if they knew it."

Kids Central and DCF officials have no evidence that any child was
hurt as a result of the error.

Officials said it was illegal to access the confidential database
using someone else's identity, but they did not accuse the Herald
reporter of breaking the law.

"It's not like a hacker got into the system," Johnson said. "Someone
was able, through a mistake, to get a password and access the system."

Regardless of how the security breach came about, child welfare
officials moved swiftly to fix it. Before restoring the Web site
Thursday, computer specialists reset all passwords and created a new
security measure that requires a log-in and password to access the
help function.

Passwords now will be handed out only over the phone or in person and
not through e-mail.

Also, users making a help request will no longer be able to see
replies to previous questions, said Don Thomas, district administrator
for District 13.

A DCF security officer from Tallahassee will examine Kids Central's
Web site "to make sure there isn't a way to breach the system again,"  
Thomas said Thursday.

Bill Harrigan, president of the Citrus County Foster Parent
Association, is counting on the consortium to keep that promise.

"I'm really surprised that they let their guard down and let something
like that happen," he said. "That's like the major, major no-no."

More information about the ISN mailing list