Officials say the problem has been fixed, but the error made thousands of confidential child-abuse and foster care files available to anyone on the Web.
By COLLEEN JENKINS
Published October 1, 2004
A Miami Herald reporter alerted local child welfare authorities this week to a software glitch that made available thousands of confidential child-abuse and foster care records to anyone with Internet access.
Those files contained detailed information about the 3,966 children under the watch of Kids Central, the private consortium that handles foster care and related services for at-risk children in the Department of Children and Families' District 13, which includes Citrus, Hernando, Marion, Lake and Sumter counties.
Names of foster children, birth dates, Social Security numbers, photographs, case histories and even directions to children's foster homes were accessible with a password that had been published on Kids Central's Web site, the Herald reported.
DCF officials, who monitor the competitively bid contract with Kids Central, immediately ordered that the site be shut down after the reporter informed them of the security breach Wednesday morning.
"We take confidentiality of client files as most critical," said Janice Johnson, a longtime DCF administrator who became chief executive officer of Kids Central in Ocala. "We do take this very, very seriously."
Kids Central took over foster care, adoptions and other services for at-risk children in District 13 earlier this year as part of a statewide effort to put child welfare services in the hands of community-based care providers.
Six local social service providers comprise the consortium: the Centers (formerly Marion-Citrus Mental Health Center), the Children's Home Society, Camelot Inc., the Harbor Behavioral Healthcare Institute, the Life Stream Behavioral Center and Eckerd Youth Alternatives.
Part of the transition last spring included adopting a new computer system, called CoBRIS, the Community Based Resource Information System. The system was developed by Edmetrics, a Tallahassee company that was founded by former DCF Secretary James Bax but has no social service technology experience, the Herald reported.
In an e-mail response to a Times phone call on Thursday, Edmetrics defended its product, saying the company's software exceeds industry standards for maintaining confidentiality. The unauthorized access was the result of "human error," a company employee said.
"Review of security logs has assured us that this reporter was the only unauthorized access into the system," Edmetrics spokesman Steven Stark said. "We will be vigilant to ensure the integrity and security of the CoBRIS system."
Johnson said Kids Central was one of the first agencies of its kind in Florida to implement the system. The Web-based CoBRIS allows caseworkers to tap into the state's child welfare database with a password from wherever they are.
Apparently, some caseworkers had trouble getting into the database. So the technology staff added a link where people could post their help requests and read others made by their colleagues - without using a password.
That's where the trouble occurred. According to the Herald, some of the replies to help requests included specific log-in identities and the corresponding passwords.
The newspaper reporter used that information to enter a world of records, including caseworker notes and reports from home visits, that are meant to be kept from the public eye.
When Mary Jane Kuhn learned of the breach on Thursday, the president of the Foster Parents Association of Hernando County wasn't pleased. She doesn't tell anybody where her family lives for fear of what a foster child's parents might do with the information, she said.
"If they were first-class citizens, obviously we wouldn't have (their kids)," Kuhn said. "It bothers me a lot that they would have access to that. I know some foster parents would probably give up their license if they knew it."
Kids Central and DCF officials have no evidence that any child was hurt as a result of the error.
Officials said it was illegal to access the confidential database using someone else's identity, but they did not accuse the Herald reporter of breaking the law.
"It's not like a hacker got into the system," Johnson said. "Someone was able, through a mistake, to get a password and access the system."
Regardless of how the security breach came about, child welfare officials moved swiftly to fix it. Before restoring the Web site Thursday, computer specialists reset all passwords and created a new security measure that requires a log-in and password to access the help function.
Passwords now will be handed out only over the phone or in person and not through e-mail.
Also, users making a help request will no longer be able to see replies to previous questions, said Don Thomas, district administrator for District 13.
A DCF security officer from Tallahassee will examine Kids Central's Web site "to make sure there isn't a way to breach the system again," Thomas said Thursday.
Bill Harrigan, president of the Citrus County Foster Parent Association, is counting on the consortium to keep that promise.
"I'm really surprised that they let their guard down and let something like that happen," he said. "That's like the major, major no-no."