Fired LA County employees had access to confidential medical, criminal records

A series of audits found lapses in security practices at Los Angeles County departments left fired employees with access to confidential records, including medical and criminal files. 

The audits, conducted by L.A. County's Auditor-Controller, reviewed systems security at Los Angeles County's probation and public health departments.  They found both departments failed to delete employee's online credentials to confidential information systems after employees were fired.

Los Angeles Supervisor Mark Ridley-Thomas is expected to introduce a motion for Tuesday's regular meeting calling for more regular audits and remedial measures.

"The audits revealed astonishing vulnerabilities that need to be immediately addressed," Ridley-Thomas said. "This is information that needs to be protected at all times."

Keep up with LAist.

If you're enjoying this article, you'll love our daily newsletter, The LA Report. Each weekday, catch up on the 5 most pressing stories to start your morning in 3 minutes or less.

Subscribe

In probation's case, the audit found 695 logins remained active for seven years - and 33 were at some point used to access probation systems, sometimes five years after the employee left. (Probation has now deleted the accounts.)

Auditors found additional issues with the number of employees able to view social security numbers for probationers.

At the Department of Public Health, 13 employee accounts were active well after termination of employment, and in one case, an old login was used to order tests and access the results for patients in the public health system - a possible violation of federal privacy laws. The department later told auditors the old login was actually used by an active employee rather than the person who had been terminated.

Auditors found 21 employees had key card access to health buildings after leaving the job.

The audits also found other problems with computer hardware. At the health department, 29 employee laptops didn't have encryption software installed.

At the probation department, employees could not immediately account for 18 of 40 items auditors randomly selected to review, including laptops and desktop computers. Six of the items were later found to have been donated, but officials still can't find the other 12.

Both probation and public health officials have taken action to address the issues outlined in the audits, according to the reports.

Ridley-Thomas wants all county departments to undergo similar audits every year and department heads to report to the board every 90 days on how they're upgrading technology security.

He said the county needs across-the-board encryption and data security protocols.

"Anything less is unacceptable," he said.