LOUISVILLE, Ky. (WDRB) – The Kentucky Office of Unemployment Insurance has suffered its second data breach in about three months.
The breach involved the private information of one unemployment claimant being exposed to another claimant, according to a statement from the Kentucky Labor Cabinet:
On July 27, 2020, at approximately 4 p.m., the Office of Unemployment Insurance was notified that a claimant had seen information pertaining to another individual claimant while navigating his own unemployment application in the OUI online system. The information seen by the claimant was another individual’s employer information and information about the individual’s health. At no time, was the other individual’s name, social security number, or other personally identifying information available. Out of an abundance of caution, OUI has reported this potential breach while the Office of Technology Services investigates the circumstances that allowed a claimant to see the information pertaining to another individual claimant. Once the Office of Technology determines the cause of the potential breach, actions will be taken to prevent this type of incident in the future.
The incident comes after the state reported that, on April 23, some unemployment claimants' data was exposed to other unemployment claimants. Some people who had completed the online filing process were able to see sensitive information on verification documents that others had filed, state officials said when they disclosed the breach on May 28, more than a month after it happened.
Gov. Andy Beshear, a Democrat, said on May 28 that the April 23 breach involved "a handful" of people who were on the unemployment site for legitimate reasons to see confidential information and that there was no evidence of bad actors.
"We don't have one report of an external group seeing it or a con artist using it," Beshear said at the time.
Beshear repeated that on Wednesday, saying the state knows of no malicious activity related to the April breach.
The breach that was discovered this week was "minor" in comparison and arguably did not constitute something that had to be publicly disclosed, Beshear said.
"Right now we are analyzing it to make sure it is not a wider-spread problem," he said.
Still, Wednesday's disclosure is another blow for the beleaguered Kentucky unemployment system, which has struggled under the weight of an unprecedented 550,000 Kentuckians seeking jobless aid and more than a million claims filed during the pandemic.
Beshear has agreed to pay accounting firm Ernst & Young $12 million in no-bid contracts for nine weeks of work to help process claims, some of which date to March.
As of Tuesday, the firm had helped with about 63,000 claims, but state officials still need to churn out a one- or two-page letter for each claim to be fully processed, Beshear said during his news briefing.
“Andy Beshear’s unemployment insurance debacle continues to put Kentuckians suffering under his orders and failed leadership at risk every day," Republican Party of Kentucky spokesman Mike Lonergan said in a statement. "From struggling to deliver the benefits Kentuckians need to make ends meet during this crisis to compromising the information of applicants, Andy Beshear’s unemployment office is one abysmal failure after another. Andy Beshear needs to take responsibility for this disaster that his administration has caused.”
