CLEVELAND — Personal data of individuals who applied to Ohio’s Pandemic Unemployment Assistance (PUA) program was exposed in a data breach on May 15, causing information of at least two dozen applicants to be seen by other claimants in the program, according to a letter shared by the Ohio Department of Job and Family Services.
It’s just infuriating," said Noelle Morovich. "It makes me so incredibly angry and stressed out on top of everything else."
The Lakewood business owner said she received an e-mail notifying her about the data breach Wednesday.
Deloitte Consulting, the company contracted with ODJFS to assist the state in administering the program, told applicants in a letter that personal information such as their names, Social Security numbers, street addresses and receipt of unemployment compensation benefits were inadvertently available for others to view.
"At this time, there is no evidence or indication to believe that your personal information was improperly used; therefore, our actions, as well as the actions you may want to consider, are preventative," the company wrote to an applicant in the program.
Deloitte Consulting told affected applicants that it took immediate steps to stop further access to any personal information. The company encouraged applicants to monitor their credit report for any suspicious activity.
"All the ramifications of that and what it could be used for just is frightening and could go on for years," said Morovich.
Morovich owns Paws in the Land, a dog sitting business. She said her business has been severely impacted by the pandemic.
During an interview, Ohio Governor Mike DeWine apologized for the vendor's error and said PUA applicants would received a year of free credit monitoring.
"We wanted to notify people, tell them that we’re sorry, but also give them the coverage for the next year in case someone was messing with their credit," said Gov. DeWine.
BREAKING: #Ohio PUA data breach. @OhioJFS just shared a letter from Deloitte Consulting saying at least two dozen PUA applicants' information could be viewed by other applicants. I"ll have the full story tonight on News 5 at 6pm.— Sarah Buduson (@SarahBuduson) May 20, 2020
In a statement to News 5, a Deloitte Consulting spokesman wrote that the data breach was not widespread and was quickly fixed.
“We are deeply committed to protecting the personal information of our clients and the people they serve. The system was not breached. A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website. Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences," according to Paul Dunker, Public Relations, Deloitte Consulting.
PUA was created to assist workers who wouldn't usually qualify for unemployment benefits — for example, anyone with COVID-19, a family member with COVID-19 or caring with someone with COVID-19 qualifies for PUA. Self-employed workers, independent contractors, gig workers, workers serving penalty weeks through regular unemployment insurance, and workers with insufficient work history can also receive unemployment through PUA.
Ohio has been one of the slowest states to start processing PUA payments. ODJFS began accepting online applications last week. At the time, 37 other states had already begun processing payments.
During a video news conference on Zoom Wednesday morning, Ohio Jobs and Family Services Director Kimberly Hall did not mention the data breach.
Hall did admit the new PUA system has had glitches.
"We’re examining with Deloitte all those nuances and hiccups that are kind of endemic to standing up a new system," she said.
"The way that this has been handled has been an absolute disaster," said Morovich.
While she continues to wait for unemployment benefits, she said she now also has to worry about identity theft.
"It took two months for them to create this and they couldn’t even have the proper security measures in place?" she said.