The city of Milwaukee has filed a complaint with the U.S. Department of Health and Human Services' Office of Civil Rights over the loss of personal information of as many as 9,000 city employees, their spouses and domestic partners by the city's wellness program vendor.
According to the complaint, the city provided Froedtert Workforce Health with a password-protected encrypted flash drive containing patient names, addresses, dates of birth, Social Security numbers and gender. However, that information was allegedly transferred to an unencrypted, non-password-protected flash drive that was reported stolen on Oct. 21 from the car of an employee of United/Dynacare L.L.C., a lab with which Froedtert subcontracted to perform blood tests on Milwaukee city employees.
“It was not until the afternoon of Nov. 15 that city of Milwaukee representatives were informed of the loss by Froedtert representatives,” states the complaint, filed Thursday.
The complaint also notes that the Milwaukee Police Department, which had investigated the car theft, was not informed of the missing flash drive or its contents.
“Obviously, this information would have affected the nature of the investigation had they been informed,” the complaint states. “Upon learning this, the police reopened their investigation and spoke further with the Dynacare employee involved.”
According to the complaint, “the creation of the database in the flash drive without encryption or password protection, the extreme delay in notifying the city of the loss of the flash drive, and the failure to advise the police of the theft of the flash drive raise serious concerns about Dynacare's security and training procedures, as well as its good faith or lack thereof in acting to protect the interests of thousands of city employees, their spouses and domestic partners, who are now confronting a potentially lifelong exposure to identity theft as a result of the breach.”
The city is asking for the maximum allowable penalties against Dynacare.
Employee class action
In addition to the city's complaint, a Milwaukee firefighter, Joseph D. Newbold, and his wife have filed a separate suit seeking class action status, while the union representing some city employees says on its website that it also has filed a suit against Froedtert.
The union, AFSCME District Council 48, also says it plans to file a notice of injury and claim for damages against the city.
Dynacare posted a “notice of privacy incident” on its website, acknowledging the incident and stating that it began notifying affected patients on Nov. 18. The firm also has established a dedicated call center for patients with questions.
“We deeply regret any inconvenience this may cause our patients,” the Dynacare notice states. “To help prevent something like this from happening in the future, we are conducting a comprehensive internal review of our policies and procedures and re-enforcing education to our employees on the importance of safeguarding patient information.”
A spokeswoman for Froedtert and the Medical College of Wisconsin, which operates Froedtert Workforce Health, referred requests for comment to Dynacare.