The village of Oak Park is investigating what it’s calling a data breach impacting more than 650 current or former employees of the village and several other governmental agencies.
The employee found to have emailed spreadsheet files to a personal computer has been fired.
In a letter that arrived in mailboxes Wednesday, Village Manager Cara Pavlicek informed people that on Jan. 22, village officials became aware that an individual “connected with (the village’s) health plan sent information containing your personal data to the individual’s private email address without authorization by the village.”
That personal information, contained in electronic spreadsheets from Oak Park’s self-funded health insurance plan between 2011-2014, included names, Social Security numbers, dates of birth, and details regarding health-care benefits.
Those affected include employees and retirees of the Village of Oak Park, the Park District of Oak Park, the Oak Park Library, Oak Park Township and the West Suburban Consolidated Dispatch Center.
Pavlicek said the village had not received “any indication … that the information has been accessed or used by this individual in any way that would cause harm to you.”
The letter assured people that the village was taking preventive steps to assure such a breach does not occur again, and also recommended that all affected individuals “closely monitor” bank, credit card and other financial statements for irregularities.
Pavlicek sat down with the Cook County Chronicle Wednesday afternoon to discuss the situation. She said officials first became aware of a problem when some employees complained that they were being told by the village’s insurance providers that premiums hadn’t been paid on dental and life policies.
“Within a 48-hour window we determined that that was true,” she said. “We determined it was important to look at a certain employee’s email correspondence with our insurance carriers.”
She said that is when they found that some files had been forwarded to a personal email account.
“It was a violation of our process,” Pavlicek said. “The health information is clearly under HIPPA. The employee had no reason to be emailing that to a private address.”
Pavlicek stressed several times that while “an exhaustive criminal investigation” was conducted, officials have uncovered no indication that the forwarded files were used for any illegal purposes.
“We didn’t want to imply that at all,” Pavlicek said, a point she reiterated in a Thursday press release.
“While the employee violated serious work rules that resulted in termination of employment, it is important to note that we have no indication that the information taken was intended for any illegal use.”
“Since we cannot confirm any authorized reason for the employee to take the information, we are erring on the side of caution and notifying those individuals affected.”
Pavlicek said no public release regarding the case would have happened but for the fact that letters had to be sent to over 650 people.
“We wouldn’t be doing a press release except for the reason we had to notify people of the breach,” she said.
This is the second time in less than two years that the village has dealt with an alleged employee misuse of personal information.
Unlike with the current situation, a 2014 case involved clear criminal intent by the employee.
On Aug. 6, 2014, Adjudication Department employee Sheila Hudson was arrested by Oak Park police after an investigation determined she had paid personal bills by using the bank account routing number from a check used to pay a contested parking fine.
Hudson’s criminal activity came to light after that customer complained to the village about the fraudulent charges to her bank account.
Hudson, who lived in far west Cortland, Ill. near DeKalb, pleaded guilty that November both to engaging in a “continuing criminal enterprise” and to official misconduct. She was given two years probation and ordered to make $3,500 restitution.
For reasons that remain unclear, Hudson’s arrests and her subsequent criminal conviction were never disclosed by police or other village officials. The Cook County Chronicle has filed an FOIA for Hudson’s arrest records and other information on the case.
Court records also indicate that Hudson was indicted in Cook County for forgery in 2001, but no resolution of that case was available.
— Oak Park investigating data breach affecting hundreds —