Personal information from Pandemic Unemployment Assistance program exposed

'Scary, lonely and frustrating,' says local victim
Posted at 5:30 PM, May 20, 2020
and last updated 2020-05-20 23:25:30-04

Sadie Healy of Cincinnati said she had been victimized in a previous data breach, so at least she knew what to do when it happened again.

But that wasn't much comfort when Healy was informed that her personal data and others who applied to Ohio’s Pandemic Unemployment Assistance (PUA) program was exposed on May 15. Information of at least two dozen applicants was seen by other claimants in the program, according to Ohio Department of Job and Family Services.

"It’s scary, lonely and frustrating," said Healy, who said she started Molloy Consulting for nonprofits two years ago but has been unemployed since April 1.

Another local victim, Katie Kreamelmeyer, called it “heartbreaking.” Both women said they have not received any money from PUA.

“We’ve come through a lot, and being an only parent, it’s been hard,” said Kreamelmeyer, a hair stylist at Salon Concepts who was out of work for two months. “And now knowing, I have to protect my identity ... Really, I’m losing faith in our system.”

In an interview with WCPO 9 Anchor Tanya O'Rourke, Ohio Gov. Mike DeWine apologized for the incident and said the affected PUA applicants would receive a year of free credit monitoring.

"We wanted to notify people, tell them that we’re sorry, but also give them the coverage for the next year in case someone was messing with their credit," said DeWine. "It was the vendor who had some errors."

Deloitte Consulting, the company contracted with ODJFS to assist the state in administering the program, told applicants in a letter that personal information such as their names, Social Security numbers, street addresses and receipt of unemployment compensation benefits were inadvertently available for others to view.

"At this time, there is no evidence or indication to believe that your personal information was improperly used; therefore, our actions, as well as the actions you may want to consider, are preventative," the company wrote.

Deloitte told affected applicants that it took immediate steps to stop further access to any personal information. The company encouraged applicants to monitor their credit report for any suspicious activity.

Healy had heard that before, so she froze her credit, contacted her bank and had a fraud alert put on her account.

"I was part of the Equifax breach, so clearly I’ve got a good track record here of being a part of this," said Healy. "But even with that, it was so frustrating and scary that they set you up automatically for these things so that your credit is frozen. I was just overwhelmed.

“A lot of the people I worked with, they would get that email and not know what to do.”

In a Wednesday statement, Deloitte spokesman Paul Dunker offered another explanation for what happened.

"The system was not breached. A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website. Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences," Dunker said.

During a video news conference on Zoom Wednesday morning, ODJFS Director Kimberly Hall did not mention the foulup that exposed the personal information. Hall did admit the new PUA system has had glitches.

"We’re examining with Deloitte all those nuances and hiccups that are kind of endemic to standing up a new system," she said.

WCPO reached out for an explanation and Bert Crow, ODJFS Communication Director, responded:

“Director Hall did not address this issue during her call today, because we owed it to the Ohioans who may have been affected to receive notice before we shared what happened with the media. We shared the news release about this incident with all the reporters who have been regularly participating in Director Hall’s media availability," Hall said in part.

PUA was created to assist workers who wouldn't usually qualify for unemployment benefits — for example, anyone with COVID-19, a family member with COVID-19 or caring with someone with COVID-19 qualifies for PUA. Self-employed workers, independent contractors, gig workers, workers serving penalty weeks through regular unemployment insurance, and workers with insufficient work history can also receive unemployment through PUA.

That was a lifesaver for Healy, she said.

“Once the pandemic hit, most nonprofits no longer had a budget where they could justify paying a consultant as they were looking at having to lay off a lot of their staff or change their funding,” she said.

But she wants the government to offer more help to victims in these cases.

"Not everybody has the same access to resources. I was grateful that I knew what to do … there’s so many people that don’t," she said. "Somebody needs to wave the flag to make sure the government and powers that be are working on a solution for those that don’t have access to getting their credit frozen, get that frozen.

“Somebody now has my Social Security number, and there’s so many places you can go with that."