Department of Human Services
Identity and Public Benefits Theft
Approved for Public Release
In September of 2013, the
Pennsylvania Office of Inspector General (OIG) initiated an investigation concerning
allegations of identity and benefits theft involving the Pennsylvania
Department of Human Services (DHS), formerly known as the Department of Public
Welfare. The matter was brought to the
attention of OIG by a police detective in a municipal police department. As a result of the detective’s referral, OIG
interviewed various individuals employed at a DHS County Assistance Office-Change
Center (CAO-Change Center). In July of
2014, OIG completed its investigation and provided its findings and
recommendations to DHS.
On September 12, 2013, a municipal
police department police detective arrested an individual for credit card fraud
and identity theft. A search of the
individual’s vehicle revealed several documents appearing to be computer printouts
from the DHS electronic Client Information System (eCIS) bearing the names,
birth dates, Social Security numbers, addresses, and other personal information
of multiple benefit recipients. The
individual arrested was not a Commonwealth employee. The detective immediately alerted OIG.
OIG searched Commonwealth employment
records and public benefits records and discovered the arrested individual was
neither a current nor past employee of the Commonwealth and the individual never
received public benefits. The usernames
on the documents seized by the detective and provided to OIG led OIG to DHS
Income Maintenance Caseworkers (IMCW) in a CAO-Change Center.
DHS maintains CAO-Change Centers
throughout Pennsylvania, including the center that was part of OIG’s
investigation. This CAO-Change Center
assists DHS clients who cannot reach their traditional County Assistance Office
(CAO). Unlike other CAOs, clients are
not seen at the CAO-Change Center.
Instead, the staff interacts with DHS clients via telephone. Client identity is verified first and then
the IMCW updates cases with caller information and requests. As part of their normal duties, the CAO-Change
Center staff will also print out forms, such as medical assessment forms, applications
for the Supplemental Nutrition Assistance Program (SNAP), and income
verification forms, which can be mailed to clients.
OIG interviewed a DHS Income
Maintenance Administrator who confirmed the seized documents were DHS printouts
and the usernames corresponded to employees at a CAO-Change Center. The Administrator explained that one type of
document seized by the detective was a “My COMPASS Account Benefit Details”
form, which could be disseminated to a specific client by mail after client
identity is verified. The other
documents seized were screen shots of client information and copies of “764
These documents are for internal use only and are never to be
distributed to the clients or the public.
The Administrator told OIG that office
policy is that only “My COMPASS” system printouts may be given to clients. This information is also available to the
client through the internet. The
Administrator provided OIG with a copy of an April 4, 2012, Operations
Memorandum outlining the policy and stating: “CAO employees should no longer
provide screen prints of CIS screens” to clients.
Another Income Maintenance
Administrator told OIG that none of the “My COMPASS” forms should be stored and
any printed documents that are not needed should be shredded. Each employee should utilize a bin where
internal documents are placed after use.
This bin should be emptied into a larger locked bin at the end of each
day or week. The documents in this
larger bin are then destroyed through approved means. Also, faxes from clients updating their
information are stored for 30 days in the office of an IMCW supervisor on a
rotating basis. After 30 days, these
forms must also be destroyed.
The Administrator explained eCIS
history screen shots are not for public use; however, they could be mailed to a
client if the client is looking for benefit information. The Administrator was not aware of the April
4, 2012, Operations Memorandum prohibiting the dissemination of eCIS screen
shots to clients, but stated it “probably came through.” She admitted some other workers might not be
following the Operations Memorandum either because they do not know about the
policy or may do things differently because they misunderstand it.
OIG also interviewed the IMCWs whose
usernames appeared on the documents seized by the detective. One IMCW told OIG that forms to be shredded
are kept on top of her desk until she makes her daily trip to the shred
area. She does not utilize a box under
her desk to hold these documents. This caseworker
was not aware of any policy against keeping internal documents on desktops
after work hours. Another IMCW told OIG
that, despite having worked at the CAO-Change Center for four years, she was
unsure what the policies were regarding dissemination of client forms and the
use of screen shots. The IMCW also
confirmed that she does not use a locked shred bin to collect discarded forms.
OIG did not find evidence that DHS’s
IMCWs improperly disclosed eCIS records to the individual who was discovered by
the police detective to be in possession of the records; however, the
investigation revealed DHS staff may not have been fully aware of and using
appropriate safeguards to mitigate the disclosure of recipient records.
As a result of its investigation, OIG made
the following recommendations to DHS:
supervisors should review policies regarding dissemination of forms containing
sensitive client information and train CAO-Change Center employees on those
should implement policies regarding the destruction of forms containing
sensitive client information;
should secure the CAO-Change Center office to ensure that only the office staff
have access to the worksite; and
should take any other action(s) it deems appropriate.
Based on OIG’s recommendations, DHS reinforced
with the Change Center staff the importance of the existing Operations
Memorandum (OPS120402, Client Information, April 4, 2012) that
outlines the proper way to send benefits information to clients. In addition, all Change
Center staff will be required to complete Safeguarding Information training on
an annual basis. Security will also be
reviewed at the Change Center sites and changes will be made accordingly.