Sharon, with the Federal Health Administration Agency, is coordinating a direct mail advisory update for its 16,000 hospital and clinic institutions and the patients they served from January 2004 through December 2005. Under a tight deadline, Sharon needs to send the patient address information to the FHAA’s Office of Communications located out of state so they can complete the mail distribution. Without notice, the FHAA’s secured email server fails and IT staff does not know when services will be restored. Sharon begins to panic but, after thinking about it a bit, she goes to her personal Web-mail account, attaches a spreadsheet with information on 155,000 patients including not just their mailing address, but also social security numbers, financial information and other personally identifiable information and emails the attachment so she can meet her advisory deadline.

To obtain a passport, US citizens must go in person to one of 7,000 passport acceptance facilities located throughout the United States with proof of US citizenship and a valid form of photo identification such as a driver’s license. Acceptance facilities include many Federal, state and probate courts, post offices, some public libraries and a number of county and municipal offices. All data is normally transferred from the remote acceptance site to one of twelve regional processing centers over a secure VPN. Occasionally an application submitted by a citizen needs further evaluation by a specialist at the Passport Office Headquarters in Washington, D.C. For those applications, regional processing centers place a CSV file containing the names, addresses, dates of birth and SSNs on a local server where they are accessed by a US Passport Specialist for further investigation and adjudication. Each of the twelve servers is password protected, but data transferred over the link is not secured.

Harold, working at the Federal Special Assistance Administration’s Audit Department in Washington, D.C. instant messages Janet at the Southwest Region in California that her earlier email (secured) containing the client assistance account information that he needed was missing some entries. Harold needed only 50 client account records and he could finish up his report for the month and call it a day. Janet looks up the records for each client that Harold needs and types in the account information in the open IM session so that both she and Harold can call it a day.

The Office of Federal Employee Benefits installed a new Policy Holder Information Kiosk in the new regional office lobby six months ago. Policy Holders now use it to check account balances and medical benefit status as well as update personal information and make special requests. The Kiosk is connected via a VPN to the OFEE’s remote data center located out of state. During the initial installation at the new region, a temporary 30-day VPN certificate was used to secure data communications over the link while finishing touches were being completed. Installation of a permanent certificate was forgotten and thus, never configured. For over five months, policy holder information has been sent over the link in clear text without anyone in IT being aware of it.