Montgomery County’s Inspector General is raising concerns for the second time this year about personal information of children being at risk of a security breach.

Megan Limarzi released a report Tuesday concerning at least 529 child victims of sexual or physical abuse or neglect at the Tree House Child Advocacy Center in Rockville. Their names, biographical data, medical information, clinician, notes and details of their abuse were available to any county employee or contractor that had access to a shared platform as of late September.

The Inspector General didn’t say whether the data was actually accessed by unauthorized users, but that the question should be pursued.

Limarzi reported on another set of unsecured documents in May. That case involved Medicare benefits applications stored on a shared platform at the county’s Department of Health and Human Services, involving social security numbers, date of birth, Medicare numbers, bank checking account numbers, and applicants’ addresses.

Limarzi says county agencies aren’t taking seriously recommendations to either delete the sensitive information or restrict access to personal documents on the shared platforms.

“I am not aware of any action taken by DHHS to prevent the exposure of sensitive information through information sharing platforms or to educate and inform staff of the need for appropriate action,” she wrote in her report.

Limarzi is recommending that the county’s department of technology services restrict access to Tree House’s shared site and files, assess the extent to which childrens’ information was accessed by people, discontinue use of file sharing platforms until data security can be addressed, alert county employees to vulnerabilities of shared documents, and delete documents containing personal identifiable information from shared platforms.

However, the county’s Chief Administrative Officer, Richard Madaleno, said they were unable to discontinue the use of shared platforms or delete sensitive information from those platforms.

“Discontinuing the use of file sharing and collaboration across the county would drastically impact business operations, especially during a time of significant telework,” Madaleno wrote in a response letter. “Instead, the county must continue using file sharing while implementing appropriate safety measures to prevent exposure of sensitive data to other users in the county.”

Madaleno also wrote that the county has acquired software to help limit access to personal documents.

County agencies have already fallen prey to other computer system data breaches. Some 6,000 accounts on Naviance, an online program that students in Montgomery County Public Schools use to prepare for college and career, were hacked by a student late last year.

In 2018, then-Inspector General Edward Blansitt noted a “need for updated procedural and policy controls on access to information.” That report also cited a 2017 Health Insurance Portability and Accountability Act [HIPAA] compliance audit which found “inadequate or outdated computer security policies and procedures.” A security assessment conducted in 2017 by the Gartner Corporation made recommendations that may have prevented future incidents.

The Montgomery County Council is expected to be briefed on the report at a later date.