Personal information for more than 2,000 current and former Cincinnati city employees appeared online for almost two weeks in April because of a mistake, city officials said Friday.
The employee data includes names, addresses, insurance information and, in some cases, Social Security numbers. City officials said the data was posted online on April 8 and remained available until the error was discovered on April 19.
The mistake occurred, they said, when the city posted a request for dental and vision insurance providers to submit proposals to cover city employees.
Internet ID:Want to erase yourself from the internet? Here’s how
Cybersecurity:5 dangerous cybersecurity mistakes you’re probably making
City spokesman Rocky Merz said the post inadvertently included data about city employees enrolled in the city’s dental and vision insurance coverage. He said the exposed data did not include banking information, credit card numbers or medical records.
Merz said data for about 2,000 current employees and some additional former employees was posted because of the error. Merz said the incident did not affect AFSCME or FOP union members or other city employees who do not have dental or vision insurance through the city.
City officials notified employees whose data was exposed
He said city officials do not believe any of the exposed information was accessed or misused in any way. But because it was available online for 11 days, the city mailed letters Friday to all affected city employees and will offer them two years of free credit monitoring and identity theft coverage.
Interim City Manager John Curp said the city is investigating the incident to determine how it happened and how it can be prevented from happening in the future.
“Upon learning of this, the city immediately launched an investigation and has taken every step necessary to address the incident,” Curp said. “The city is committed to providing impacted individuals the resources to protect themselves and their dependents.”
Avoiding data breaches is challenging for public and private companies
Protecting personal information online is increasingly challenging, for both private companies and public institutions. A data breach involving a contractor in March made it impossible for Cincinnati Water Works customers to pay their bills online for about two weeks.
More:Cyberattacks are booming. This is how the Butler County Sheriff became a victim
Similar breaches or attacks have impacted Kroger, UC Health, Christ Hospital and the Butler County Sheriff’s office in the past two years. Reports of cyber crimes to the FBI more than doubled during the past five years, from 300,000 to 850,000.
No way to know who accessed information that was exposed online
Though the error that exposed Cincinnati employees’ data in April was not a cyber attack, city officials have no way of knowing whether criminals or others could have accessed the data while it was online.
Merz said the city is reviewing its policies and processes for handling sensitive information and will require additional training. He said the matter also will be reported to the U.S. Department of Health and Human Services.