New Jersey state agencies left confidential information on computers set to be sold at auction, according to a report released this week by state Comptroller Matthew Boxer.
An audit by Boxer's office revealed that multiple state agencies disposed of computer equipment without ensuring that data on the devices had been removed. Auditors discovered completed tax returns, Social Security numbers, health records, child abuse papers and a list of login passwords on computers that were shrink-wrapped on pallets at the state's surplus property warehouse ready to be auctioned off to the public.
The comptroller's office intervened to stop the auction after confidential information was discovered on the computers but warned that the state may have inadvertently released personal information in the past. The state gives away or sells hundreds of computers each year, the comptroller's office estimated.
“It's certainly a reasonable assumption that before we arrived there was no one to stop computers with confidential data from being auctioned to the public,” said Pete McAleer, a comptroller spokesman.
New Jersey state policy requires agencies to remove all data from a computer's hard drive before deeming it fit for redistribution. Despite the state's requirements, 46 out of 58, or 79 percent, of the hard drives evaluated during the audit contained data, much of which was confidential, according to the report.
“At a time when identity theft is all too common, the state must take better precautions so it doesn't end up auctioning off taxpayers' Social Security numbers and health records to the highest bidder,” Boxer said in a statement.
Specifically, the hard drives contained more than 230 files related to state child abuse investigations, containing names and addresses of the children, as well as immunization and health records. The release of such information violates various state and federal laws, the report states.
The comptroller made 10 recommendations to state officials for improving the surplus system, many of which advise employees to follow and enforce existing policies.
In response, the state's Treasury Department, which operates the warehouse, said it has undertaken efforts to improve data security.
The department has issued an interim policy requiring that agencies remove all hard drives from computers sent for redistribution while it develops a permanent policy for handling such computers.