The social security numbers and home addresses of thousands of unemployment applicants inadvertently were exposed this week in three states that had contracted with Deloitte to build unemployment portals.
In Ohio, Illinois and Colorado, thousands who applied for Pandemic Unemployment Assistance, or PUA, a type of unemployment newly available to the self-employed and gig workers, received notice that their personal information, including social security numbers, addresses, names and how much they were receiving in benefits, was exposed to other users.
A flaw in the system allowed three dozen applicants across to view the information of thousands. According to a spokesperson for the consulting firm, Deloitte halted the unauthorized access within an hour in each case.
Deloitte also worked with other states across to build out pandemic unemployment assistance portals after Congress created the program under the CARES Act in late March. No other states have seen inadvertent data breaches, according to Deloitte.
For many applicants, the news that their personal information had been exposed was the latest layer of bad news in what has been a months-long struggle to navigate their state's bogged-down unemployment systems.
Emily West, a 23-year-old mother and part-time waitress in Ohio, waited nearly three months for her unemployment checks to arrive. She first applied on the day she was laid off, March 16, but the PUA system wasn't operational until last week. She finally received checks for back pay on Tuesday.
It was welcome news, but the following day, she found an alarming email from Ohio's Department of Jobs and Family Services in her inbox.
"Deloitte discovered on May 15, 2020 that your name, Social Security number, and street address pertaining to your application for and receipt of unemployment compensation benefits inadvertently had the capability to be viewed by other unemployment claimants," the email read.
According to the letter, there is "no evidence or indication" that West's personal information was "improperly used" and the alert from the state was "preventative."
"The anxiety and uncertainty of being laid off for two months was alleviated for one day," West told ABC News. "Now I have to worry about someone possibly stealing my identity and wreaking havoc on my credit. It feels like unemployed Ohioans really can't catch a break."
Ohio's Department of Jobs and Family Services said 12 people had access to other people's information. They dismantled the feature within an hour of learning about it, according to a press release, but it's not clear how long it was accessible.
"Once the unauthorized access was identified, Deloitte fixed the issue within one hour. ODJFS contacted the individuals who had accidental access to the system data," the department said in a statement.
Situations in Illinois and Colorado were similar.
In Illinois, a constituent flagged her local representative about the problem. She was "visibly shaken" after inadvertently accessing a spreadsheet with thousands of people's personal information, according to a Facebook post by Republican State Rep. Terri Bryant.
According to the Illinois Department of Employee Security, an analysis found that the constituent was the only claimant able to inadvertently access other people's information, but a "full-scale investigation" is underway. IDES will release results of the analysis once it's done, the department said, and "will also explore further remediation on the part of Deloitte upon completion of the investigation."
Illinois' PUA system launched last week, after months of waiting, and 50,000 claims have since been processed.
In Colorado, six people accessed other claimants' applications, according to the state, and the accidental search function was available from May 2-15 -- almost two full weeks, according to The Colorado Sun. The 72,000 people in the state's PUA system were offered 12 months of free credit monitoring.
"We are deeply committed to protecting the personal information of our clients and the people they serve. The systems were not breached. A unique circumstance enabled about three dozen Pandemic Unemployment Assistance claimants across three states to inadvertently access a restricted page when logged into their state's PUA website," Deloitte said in a statement about the data exposure.
"Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences. Out of an abundance of caution, we are offering 12 months of free credit monitoring to those PUA claimants potentially impacted."
There is no evidence of hacking or malicious activity in each of these states so far, though the error serves as a reminder of the risk that comes with rushed implementation seen across the country as states scramble to support residents enduring record-breaking job loss.
The data exposure in the PUA system is not the first of its kind from the quick rollout of new government programs created by the CARES Act. A similar situation occurred with emergency relief loans through the Small Business Administration and in April, when sensitive information submitted by Native American tribes to the Department of Interior was released.