USPS breach wider than first reported
Medical records of as many as 485,000 employees might also have been exposed, in cases reaching back to 1980.
Social Security numbers of U.S. Postal Service employees weren't the only data to be affected in September's cybersecurity breach at USPS. The agency is now saying that the medical records of as many as 485,000 employees might also have been accessed.
USPS alerted potential breach victims -- current and past employees who filed injury compensation claims between November 1980 and August 2012 -- with individual letters explaining their specific situations.
In the Dec. 10 letter to employees, USPS Chief Human Resources Officer Jeffrey Williamson said the potentially compromised information was stored in "a file relating to injury compensation claims," which includes medical information associated with that claim. NextGov first reported on the breach of the medical files.
Spokesman Dave Partenheimer said the information accessed in the breach can include victims names, addresses and Social Security numbers, as well as their medical information.
At a National Press Club event in Washington, D.C. on Jan. 6, Postmaster General Patrick Donahoe said at the time of the breach USPS was following best practices and recommendations of the private sector and federal government – but considering the number of network breaches in the public and private sector during the time, that might not assuage many of those affected.
Donahoe describes USPS's cybersecurity posture as similar to most organizations -- a wall keeping malicious intruders out -- but said that in the months following the breach, improvements have been made.
"We've now employed a substantial change in not only maintaining the wall and building the wall to be stronger, [with] much more scanning internally," Donahoe said. "There's a lot of new products on the market right now that are not even for sale yet that we are using."
USPS has also hired a third party to conduct an "over the shoulder" review of its cybersecurity program. Donahoe said the goal is "to make sure that everything we're doing is better than industry standards."
The results of that review will not be made public, Donahoe said.