Sen. Michael D. Crapo, Idaho Republican, expressed on Wednesday his “disappointment” about the loss of personal data for 59,000 employees at the Energy Department’s Idaho National Laboratory.
“I hope your department will continue to follow up on efforts to protect the credit histories of those individuals, and I encourage you to do everything you can to protect against this type of thing in the future,” Mr. Crapo told Energy Secretary Steven Chu, who oversees the nation’s 17 national energy labs, at a hearing on the department’s 2010 budget.
Energy Department officials said Friday that a computer disk containing personal information on most employees who were issued a badge at the Idaho lab since 1949 was lost in shipment by UPS.
The disk, which included the names of employees and their Social Security and badge numbers, was lost in shipment from New York to Maryland. UPS alerted the Energy Department about the loss Jan. 30 and is working with the department’s Office of Health, Safety and Security to retrieve the data.
Idaho’s congressional delegation requested Saturday that the Energy Department establish tougher security measures for employee information.
The data was being sent as part of the department’s Former Worker Medical Screening Program, as part of a screening program for federal workers who may have been exposed to hazardous or radioactive materials.
Queens College, which was contacting former employees to alert them about the program, shipped the disk to the Center for Construction Research and Training, said Brad Bugger, an Energy Department spokesman. The package arrived damaged and missing the disk.
Shipments of further data for the medical program have been suspended pending the results of the investigation. The computer disk containing the data is password-protected, although information about whether the data was encrypted was not immediately available.
“This is the transportation of the disk — we call this ‘data on the move,’” said Linda Foley, who founded the Identity Theft Resource Center a decade ago.
Mrs. Foley was quick to note that while the data has been lost, the workers are not necessarily victims of identity theft. She suggested they set up fraud alerts on their credit reports for at least six months.
Three states — Connecticut, Massachusetts and Nevada — have passed laws requiring that personal data be encrypted, as well as password-protected, to add an additional layer of security.