oversight

A Former Employee of the Helena Housing Authority, Helena, MT, Improperly Released Personally Identifiable Information

Published by the Department of Housing and Urban Development, Office of Inspector General on 2014-09-25.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

OFFICE OF AUDIT                                      DRAFT
REGION   8
   For Discussion and Comment Only - Subject to Review and Revision
DENVER, CO




                Helena Housing Authority, Helena, MT

                     Housing Choice Voucher Program




  2014-DE-1002                                                        SEPTEMBER 25, 2014
                                                                    Issue Date: September 25, 2014

                                                                    Audit Report Number: 2014-DE-1002




TO:            Ann Roman, Director, Denver Office of Public and Indian Housing, 8APH

               //signed//
FROM:          Ronald J. Hosking, Regional Inspector General for Audit, 8AGA

SUBJECT:       A Former Employee of the Helena Housing Authority, Helena, MT, Improperly
               Released Personally Identifiable Information


    Attached is the U.S. Department of Housing and Urban Development (HUD), Office of
Inspector General’s (OIG) final results of our review of a hotline complaint alleging the
improper release of housing choice voucher holders’ personally identifiable information outside
the Helena Housing Authority.

    HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on
recommended corrective actions. For each recommendation without a management decision,
please respond and provide status reports in accordance with the HUD Handbook. Please furnish
us copies of any correspondence or directives issued because of the audit.

    The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its
publicly available reports on the OIG Web site. Accordingly, this report will be posted at
http://www.hudoig.gov.

   If you have any questions or comments about this report, please do not hesitate to call me at
913-551-5870.




                                                Office of Audit Region 8
                                   1670 Broadway, 24th Floor, Denver, CO 80202
                                      Phone (303) 672-5452, Fax (303) 672-5006
                          Visit the Office of Inspector General Web site at www.hudoig.gov.
                                           September 25, 2014
                                           A Former Employee of the Helena Housing Authority,
                                           Helena, MT, Improperly Released Personally Identifiable
                                           Information



Highlights
Audit Report 2014-DE-1002



 What We Audited and Why                    What We Found

We received a hotline complaint            A former Authority employee improperly released
alleging that a former employee of the     personally identifiable information outside the
Helena Housing Authority, Helena, MT,      Authority. The employee sent at least seven emails
improperly released housing choice         containing housing choice voucher holders’ personally
voucher holders’ personally identifiable   identifiable information, including Social Security
information outside the Authority. Our     numbers and other personal information such as
objective was to determine whether the     household income, to the employee’s personal email
allegation had merit.                      address and the work email address of a friend who
                                           worked for one of the Authority’s contractors.

 What We Recommend

We recommend that the Director of the
Denver Office of Public and Indian
Housing require the Montana
Department of Commerce and the
Authority to consult their legal counsel
to determine whether they are required
to inform those voucher holders of the
breach and if so, to notify the voucher
holders.
                           TABLE OF CONTENTS

Background and Objective                                                3

Results of Audit                                                        4
      The Former Employee Improperly Released Personally Identifiable
      Information Outside the Authority

Scope and Methodology                                                   6

Internal Controls                                                       7

Appendix                                                                8
      Auditee Comments




                                           2
                     BACKGROUND AND OBJECTIVES

The Helena Housing Authority was established on October 1, 1938, under the requirements of
Section 7-15-44, Montana Code Annotated. A board of seven commissioners appointed by the
mayor of Helena, MT, governs the Authority. The board determines Authority policies and
monitors the Authority’s financial and operational success. Its mission is to provide safe and
affordable housing and related services to eligible low-income families, the elderly, and the
disabled.

The Authority receives Federal funds from the U.S. Department of Housing and Urban
Development (HUD) to administer its Housing Choice Voucher program. This program is the
Federal Government’s major program for assisting very low-income families, the elderly, and the
disabled in affording decent, safe, and sanitary housing in the private market.

The Authority also assists the State of Montana Department of Commerce with the
administration of the State’s housing choice vouchers under a yearly service agreement. The
agreement applies to the State’s housing choice vouchers issued within the geographic
boundaries of Broadwater, Jefferson, and Lewis and Clark Counties in Montana.

The Authority manages 366 public housing units and has 345 vouchers, not including the State’s
vouchers.

We initiated a review of the Authority due to an allegation of a potential breach of housing
choice voucher holders’ personally identifiable information.

Our objective was to determine whether a former housing authority employee improperly
released housing choice voucher holders’ personally identifiable information outside the
Authority.




                                                3
                                RESULTS OF AUDIT


A Former Employee Improperly Released Personally Identifiable
Information Outside the Authority
We reviewed an allegation contained in a hotline complaint that a former employee of the
Authority improperly released housing choice voucher holders’ personally identifiable
information outside the Authority. We substantiated the allegation.


 Personally Identifiable Information
 Released

              The hotline complaint alleging that a former employee improperly released
              personally identifiable information outside the Authority had merit. We found
              seven emails containing housing choice voucher holders’ personally identifiable
              information that were improperly sent by a former employee outside the
              Authority. The released emails contained many instances of program
              participants’ contact information, including Social Security numbers and other
              personal information such as household income. The former employee sent the
              emails to the employee’s personal email address and the work email address of a
              friend who worked for one of the Authority’s contractors.

              The former employee certified to the receipt and understanding of Authority and
              State of Montana privacy policies before sending the emails. These policies
              require protection of client privacy as well as compliance with all applicable State
              and Federal laws that relate to the receipt of HUD or other government agency
              funds.

              The former employee and the employee’s friend told us that they did not share or
              make public any client personally identifiable information. They further stated
              that they did not use the information for personal gain. The former employee
              stated that the information was sent to the employee’s personal email to protect
              the employee from questions the Authority may have had or adverse actions the
              Authority may have taken following the employee’s termination of employment.

              We did not find an indication that the former employee shared or profited from
              the released personally identifiable information. In addition, since the former
              employee did not obtain the information from a HUD system, there was no
              violation of the Privacy Act (see 5 U.S.C. (United States Code) 552(a)). Because
              the former employee obtained the personally identifiable information from a State
              of Montana system and a State-administered program, the Authority and the State
              should consult with their legal offices to determine the proper course of action.


                                               4
                                                 
          We told the Authority which emails contained client personally identifiable
          information to assist in its efforts to respond appropriately.

Recommendations

          We recommend that the Director of the Denver Office of Public and Indian
          Housing require the Montana Department of Commerce and the Authority to

          1A.     Consult their legal counsel to determine whether the employee violated the
                  State’s privacy laws. If so, consider taking action against the former
                  employee.

          1B.     Consult their legal counsel to determine whether they are required to
                  inform voucher holders of the breach and if so, to notify those voucher
                  holders.




                                           5
                                             
                         SCOPE AND METHODOLOGY

Our audit covered the period January 1, 2012, through February 28, 2014. We performed our
onsite work from April 2014 to June 2014 at the Authority offices located at 812 Abbey Street,
Helena, MT.

We reviewed Authority policies and proceedures to obtain an understanding of the program and
the auditee. We interviewed current and former staff at the Authority, one of the Authority’s
contractors, and officials at the State of Montana Department of Commerce, Division of
Housing. We reviewed all relevant emails and other written communications originating from
and received by the Authority during our audit period. We did not select a sample of tenant files
or perform file reviews to support our finding.

We did not use auditee computer-generated data as audit evidence or to support our audit
conclusions. We used computer-generated documentation obtained from HUD and the auditee
for background information purposes. We based all of our conclusions on source documentation
reviewed during the audit.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective(s). We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.




                                                6
                                                 
                              INTERNAL CONTROLS

Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

      Effectiveness and efficiency of operations,
      Reliability of financial reporting, and
      Compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.


 Relevant Internal Controls

               We determined that the following internal controls were relevant to our audit
               objective:

                     Controls to ensure the safeguarding of personally identifiable information.


               We assessed the relevant controls identified above.

               A deficiency in internal control exists when the design or operation of a control does
               not allow management or employees, in the normal course of performing their
               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)
               impairments to effectiveness or efficiency of operations, (2) misstatements in
               financial or performance information, or (3) violations of laws and regulations on a
               timely basis.

               We evaluated internal controls related to the audit objective in accordance with
               generally accepted government auditing standards. Our evaluation of internal
               controls was not designed to provide assurance regarding the effectiveness of the
               internal control structure. Accordingly, we do not express an opinion on the
               effectiveness of the Authority’s related internal controls.




                                                 7
                                                   
                                       APPENDIX


                              AUDITEE COMMENTS

The Auditee chose not to provide comments to this report.




                                               8