Pennsylvania Department of Human Services Investigation into Identity and Public Benefits Theft

General Investigation Report Summary

COMMONWEALTH OF PENNSYLVANIA OFFICE OF INSPECTOR GENERAL
OIG-13-0423-I-DPW
Pennsylvania Department of Human Services
Investigation into Identity and Public Benefits Theft
General Investigation Report Summary

Approved for Public Release

In September of 2013, the Pennsylvania Office of Inspector General (OIG) initiated an investigation concerning allegations of identity and benefits theft involving the Pennsylvania Department of Human Services (DHS), formerly known as the Department of Public Welfare.  The matter was brought to the attention of OIG by a police detective in a municipal police department.  As a result of the detective’s referral, OIG interviewed various individuals employed at a DHS County Assistance Office-Change Center (CAO-Change Center).  In July of 2014, OIG completed its investigation and provided its findings and recommendations to DHS.

Background

On September 12, 2013, a municipal police department police detective arrested an individual for credit card fraud and identity theft.  A search of the individual’s vehicle revealed several documents appearing to be computer printouts from the DHS electronic Client Information System (eCIS) bearing the names, birth dates, Social Security numbers, addresses, and other personal information of multiple benefit recipients.  The individual arrested was not a Commonwealth employee.  The detective immediately alerted OIG.

OIG searched Commonwealth employment records and public benefits records and discovered the arrested individual was neither a current nor past employee of the Commonwealth and the individual never received public benefits.  The usernames on the documents seized by the detective and provided to OIG led OIG to DHS Income Maintenance Caseworkers (IMCW) in a CAO-Change Center.

Investigation

DHS maintains CAO-Change Centers throughout Pennsylvania, including the center that was part of OIG’s investigation.  This CAO-Change Center assists DHS clients who cannot reach their traditional County Assistance Office (CAO).  Unlike other CAOs, clients are not seen at the CAO-Change Center.  Instead, the staff interacts with DHS clients via telephone.  Client identity is verified first and then the IMCW updates cases with caller information and requests.  As part of their normal duties, the CAO-Change Center staff will also print out forms, such as medical assessment forms, applications for the Supplemental Nutrition Assistance Program (SNAP), and income verification forms, which can be mailed to clients.

OIG interviewed a DHS Income Maintenance Administrator who confirmed the seized documents were DHS printouts and the usernames corresponded to employees at a CAO-Change Center.  The Administrator explained that one type of document seized by the detective was a “My COMPASS Account Benefit Details” form, which could be disseminated to a specific client by mail after client identity is verified.  The other documents seized were screen shots of client information and copies of “764 Forms”/“Authorization/Instruction Sheets.”  These documents are for internal use only and are never to be distributed to the clients or the public.

The Administrator told OIG that office policy is that only “My COMPASS” system printouts may be given to clients.  This information is also available to the client through the internet.  The Administrator provided OIG with a copy of an April 4, 2012, Operations Memorandum outlining the policy and stating: “CAO employees should no longer provide screen prints of CIS screens” to clients.

Another Income Maintenance Administrator told OIG that none of the “My COMPASS” forms should be stored and any printed documents that are not needed should be shredded.  Each employee should utilize a bin where internal documents are placed after use.  This bin should be emptied into a larger locked bin at the end of each day or week.  The documents in this larger bin are then destroyed through approved means.  Also, faxes from clients updating their information are stored for 30 days in the office of an IMCW supervisor on a rotating basis.  After 30 days, these forms must also be destroyed.

The Administrator explained eCIS history screen shots are not for public use; however, they could be mailed to a client if the client is looking for benefit information.  The Administrator was not aware of the April 4, 2012, Operations Memorandum prohibiting the dissemination of eCIS screen shots to clients, but stated it “probably came through.”  She admitted some other workers might not be following the Operations Memorandum either because they do not know about the policy or may do things differently because they misunderstand it.

OIG also interviewed the IMCWs whose usernames appeared on the documents seized by the detective.  One IMCW told OIG that forms to be shredded are kept on top of her desk until she makes her daily trip to the shred area.  She does not utilize a box under her desk to hold these documents.  This caseworker was not aware of any policy against keeping internal documents on desktops after work hours.  Another IMCW told OIG that, despite having worked at the CAO-Change Center for four years, she was unsure what the policies were regarding dissemination of client forms and the use of screen shots.  The IMCW also confirmed that she does not use a locked shred bin to collect discarded forms.

OIG did not find evidence that DHS’s IMCWs improperly disclosed eCIS records to the individual who was discovered by the police detective to be in possession of the records; however, the investigation revealed DHS staff may not have been fully aware of and using appropriate safeguards to mitigate the disclosure of recipient records.

Recommendations

As a result of its investigation, OIG made the following recommendations to DHS:

  1. DHS supervisors should review policies regarding dissemination of forms containing sensitive client information and train CAO-Change Center employees on those policies;
  2. DHS should implement policies regarding the destruction of forms containing sensitive client information;
  3. DHS should secure the CAO-Change Center office to ensure that only the office staff have access to the worksite; and
  4. DHS should take any other action(s) it deems appropriate.

Department/Agency Response

Based on OIG’s recommendations, DHS reinforced with the Change Center staff the importance of the existing Operations Memorandum (OPS120402, Client Information, April 4, 2012) that outlines the proper way to send benefits information to clients. In addition, all Change Center staff will be required to complete Safeguarding Information training on an annual basis.   Security will also be reviewed at the Change Center sites and changes will be made accordingly.