OFFICE OF AUDIT DRAFT REGION 8 For Discussion and Comment Only - Subject to Review and Revision DENVER, CO Helena Housing Authority, Helena, MT Housing Choice Voucher Program 2014-DE-1002 SEPTEMBER 25, 2014 Issue Date: September 25, 2014 Audit Report Number: 2014-DE-1002 TO: Ann Roman, Director, Denver Office of Public and Indian Housing, 8APH //signed// FROM: Ronald J. Hosking, Regional Inspector General for Audit, 8AGA SUBJECT: A Former Employee of the Helena Housing Authority, Helena, MT, Improperly Released Personally Identifiable Information Attached is the U.S. Department of Housing and Urban Development (HUD), Office of Inspector General’s (OIG) final results of our review of a hotline complaint alleging the improper release of housing choice voucher holders’ personally identifiable information outside the Helena Housing Authority. HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on recommended corrective actions. For each recommendation without a management decision, please respond and provide status reports in accordance with the HUD Handbook. Please furnish us copies of any correspondence or directives issued because of the audit. The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its publicly available reports on the OIG Web site. Accordingly, this report will be posted at http://www.hudoig.gov. If you have any questions or comments about this report, please do not hesitate to call me at 913-551-5870. Office of Audit Region 8 1670 Broadway, 24th Floor, Denver, CO 80202 Phone (303) 672-5452, Fax (303) 672-5006 Visit the Office of Inspector General Web site at www.hudoig.gov. September 25, 2014 A Former Employee of the Helena Housing Authority, Helena, MT, Improperly Released Personally Identifiable Information Highlights Audit Report 2014-DE-1002 What We Audited and Why What We Found We received a hotline complaint A former Authority employee improperly released alleging that a former employee of the personally identifiable information outside the Helena Housing Authority, Helena, MT, Authority. The employee sent at least seven emails improperly released housing choice containing housing choice voucher holders’ personally voucher holders’ personally identifiable identifiable information, including Social Security information outside the Authority. Our numbers and other personal information such as objective was to determine whether the household income, to the employee’s personal email allegation had merit. address and the work email address of a friend who worked for one of the Authority’s contractors. What We Recommend We recommend that the Director of the Denver Office of Public and Indian Housing require the Montana Department of Commerce and the Authority to consult their legal counsel to determine whether they are required to inform those voucher holders of the breach and if so, to notify the voucher holders. TABLE OF CONTENTS Background and Objective 3 Results of Audit 4 The Former Employee Improperly Released Personally Identifiable Information Outside the Authority Scope and Methodology 6 Internal Controls 7 Appendix 8 Auditee Comments 2 BACKGROUND AND OBJECTIVES The Helena Housing Authority was established on October 1, 1938, under the requirements of Section 7-15-44, Montana Code Annotated. A board of seven commissioners appointed by the mayor of Helena, MT, governs the Authority. The board determines Authority policies and monitors the Authority’s financial and operational success. Its mission is to provide safe and affordable housing and related services to eligible low-income families, the elderly, and the disabled. The Authority receives Federal funds from the U.S. Department of Housing and Urban Development (HUD) to administer its Housing Choice Voucher program. This program is the Federal Government’s major program for assisting very low-income families, the elderly, and the disabled in affording decent, safe, and sanitary housing in the private market. The Authority also assists the State of Montana Department of Commerce with the administration of the State’s housing choice vouchers under a yearly service agreement. The agreement applies to the State’s housing choice vouchers issued within the geographic boundaries of Broadwater, Jefferson, and Lewis and Clark Counties in Montana. The Authority manages 366 public housing units and has 345 vouchers, not including the State’s vouchers. We initiated a review of the Authority due to an allegation of a potential breach of housing choice voucher holders’ personally identifiable information. Our objective was to determine whether a former housing authority employee improperly released housing choice voucher holders’ personally identifiable information outside the Authority. 3 RESULTS OF AUDIT A Former Employee Improperly Released Personally Identifiable Information Outside the Authority We reviewed an allegation contained in a hotline complaint that a former employee of the Authority improperly released housing choice voucher holders’ personally identifiable information outside the Authority. We substantiated the allegation. Personally Identifiable Information Released The hotline complaint alleging that a former employee improperly released personally identifiable information outside the Authority had merit. We found seven emails containing housing choice voucher holders’ personally identifiable information that were improperly sent by a former employee outside the Authority. The released emails contained many instances of program participants’ contact information, including Social Security numbers and other personal information such as household income. The former employee sent the emails to the employee’s personal email address and the work email address of a friend who worked for one of the Authority’s contractors. The former employee certified to the receipt and understanding of Authority and State of Montana privacy policies before sending the emails. These policies require protection of client privacy as well as compliance with all applicable State and Federal laws that relate to the receipt of HUD or other government agency funds. The former employee and the employee’s friend told us that they did not share or make public any client personally identifiable information. They further stated that they did not use the information for personal gain. The former employee stated that the information was sent to the employee’s personal email to protect the employee from questions the Authority may have had or adverse actions the Authority may have taken following the employee’s termination of employment. We did not find an indication that the former employee shared or profited from the released personally identifiable information. In addition, since the former employee did not obtain the information from a HUD system, there was no violation of the Privacy Act (see 5 U.S.C. (United States Code) 552(a)). Because the former employee obtained the personally identifiable information from a State of Montana system and a State-administered program, the Authority and the State should consult with their legal offices to determine the proper course of action. 4 We told the Authority which emails contained client personally identifiable information to assist in its efforts to respond appropriately. Recommendations We recommend that the Director of the Denver Office of Public and Indian Housing require the Montana Department of Commerce and the Authority to 1A. Consult their legal counsel to determine whether the employee violated the State’s privacy laws. If so, consider taking action against the former employee. 1B. Consult their legal counsel to determine whether they are required to inform voucher holders of the breach and if so, to notify those voucher holders. 5 SCOPE AND METHODOLOGY Our audit covered the period January 1, 2012, through February 28, 2014. We performed our onsite work from April 2014 to June 2014 at the Authority offices located at 812 Abbey Street, Helena, MT. We reviewed Authority policies and proceedures to obtain an understanding of the program and the auditee. We interviewed current and former staff at the Authority, one of the Authority’s contractors, and officials at the State of Montana Department of Commerce, Division of Housing. We reviewed all relevant emails and other written communications originating from and received by the Authority during our audit period. We did not select a sample of tenant files or perform file reviews to support our finding. We did not use auditee computer-generated data as audit evidence or to support our audit conclusions. We used computer-generated documentation obtained from HUD and the auditee for background information purposes. We based all of our conclusions on source documentation reviewed during the audit. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective(s). We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. 6 INTERNAL CONTROLS Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to Effectiveness and efficiency of operations, Reliability of financial reporting, and Compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: Controls to ensure the safeguarding of personally identifiable information. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. We evaluated internal controls related to the audit objective in accordance with generally accepted government auditing standards. Our evaluation of internal controls was not designed to provide assurance regarding the effectiveness of the internal control structure. Accordingly, we do not express an opinion on the effectiveness of the Authority’s related internal controls. 7 APPENDIX AUDITEE COMMENTS The Auditee chose not to provide comments to this report. 8
A Former Employee of the Helena Housing Authority, Helena, MT, Improperly Released Personally Identifiable Information
Published by the Department of Housing and Urban Development, Office of Inspector General on 2014-09-25.
Below is a raw (and likely hideous) rendition of the original report. (PDF)