The personal information records of more than 1.4 million Maryland students were stored improperly, an audit of the Maryland State Department of Education found.
The information, along with records for 233,310 teachers, was stored in plain text in databases and applications without adequate safeguards, according to a report from the Office of Legislative Audits released last week.
Auditors concluded that the department should revisit an effort to catalog all sensitive personally identifiable information that it stores and upgrade protections. In a response, the department said it is working with the state Department of Information Technology to complete a list of all personally identifiable information maintained by the agency by Sept. 30, and will delete from all systems any information that doesn’t need to be retained.
The education department will also work with the Department of information Technology on an information technology disaster recovery plan, which was noted by auditors to be incomplete.
The auditors’ review also found 15 servers that were running outdated software and programs susceptible to malware. Programs for the servers were last updated by the developers in 2015. Additionally, as of last July, 249 of 483 computers running one potentially vulnerable application had not been updated for the latest software updates, but were using versions last updated as far back as 2008.
In a response, the agency noted that half of the 15 servers had been decommissioned and the other half are expected to come offline by the end of this year. The agency will begin six-month check-ups to ensure that individual computer programs are up-to-date, the response said.
The audit included reviews of several parts of the education department between July 1, 2014 and Dec. 31, 2017.
Department of Rehabilitation Services
A review of the Division of Rehabilitation Services, which helps people with physical or mental disabilities live independently by providing vocational and medical services, noted delays in getting services to consumers and cost overruns.
The audit found that expenditures for about 2,600 active consumers exceeded the amounts estimated in their Individual Plans for Employment, about $12.2 million, by more than $10.9 million, an 89 percent excess.
The division said it will begin generating reports that indicate when a consumer’s actual costs are about to exceed the estimated cost and update their individual plans as necessary.
The auditors also noted delays in getting services to people referred to the division for services. During a review of 20 cases, the division was delinquent in making contact with eight people after receiving referrals. While policies dictate that people should receive a response within 10 days, at least one initial contact was made 77 days late.
Policies also state that individual plans should be completed within 90 days of an eligibility determination, but six of the 20 consumers received the determination later, between 22 days to 474 days beyond the 90-day window.
The division is working to streamline the referral process and increasing monitoring of deadlines.
Finally, the audit concluded that delays in applying for reimbursements for federal grants cost the state interest income. While an oversight in applying for reimbursement for $92 million in qualified expenses was rectified, the state missed out on approximately $300,000 in lost interest income, the audit concluded.
Auditors also suggested that the state do more to monitor performance by local government agencies and nonprofits that receive state grants.
The full audit is online.