Data on adult-education students missing

NOTIFICATION LETTER: Read the VDOE warning about personal data loss

A flash drive containing personal information for more than 100,000 former adult-education students is missing, according to state officials who now are trying to notify all those affected by the security breach.

As of late yesterday, there was no indication the flash drive had been found or that the information on it -- including names, Social Security numbers, birth dates and other personal information -- had been accessed, according to the Virginia Department of Education.

Still, Education Department officials are mailing letters to 77,577 former adult-education students advising them of the loss and steps they can take to protect themselves from identity theft. They also are trying to get word to an additional 25,693 former students whose mailing addresses they do not know.

The flash drive disappeared after a Sept. 21 meeting in Richmond between representatives from Virginia Tech's Center for Assessment, Evaluation and Educational Programming and staff from the state's adult-education office, Education Department spokesman Charles Pyle said. The state contracts with Tech for federally mandated research and data analysis regarding adult education.

During that meeting at the state Education Department offices in downtown Richmond, an adult-education employee handed the flash drive to a Tech representative, Pyle said.

"Contrary to department policy, the data on the flash drive were not encrypted," he added.

The Tech employee informed the adult-education office the next day that the flash drive was lost and that efforts to find it were unsuccessful, Pyle said.

Julie Grimes, a department spokeswoman, said the Education Department is disclosing the data loss now because officials hoped they would locate the drive, and then it took time to compile the addresses for the students affected. On Sept. 30, the department requested bids from printers to produce the thousands of letters that were mailed this week, she added.

Larry Hincker, associate vice president for university relations at Tech, said yesterday: "We regret that a flash drive containing personal information on former and current adult-education students in Virginia was lost by a university employee. The university is taking appropriate disciplinary actions with that employee.

"It is unfortunate the Virginia Department of Education did not follow existing protocols to transmit personal information on an encrypted flash drive or via a secure transmission of data via the Internet," Hincker continued. "It is also unfortunate that our employee chose to accept the unsecured data, which is not our standard practice nor Virginia Department of Education policy."

Of the lost data, Superintendent of Public Instruction Patricia I. Wright said yesterday: "Protecting the privacy of students is a solemn obligation, and the Virginia Department of Education has policies and secure systems to safeguard data and prevent the loss or misuse of personal information."

"However," she added, "no policy or system is immune from human error."

Pyle declined to discuss any action taken against the Education Department employee, citing a personnel matter. Because of this case, flash drives no longer are allowed to be used in these instances -- whether the data is encrypted or not, Grimes said.

State education officials are asking that people who do not receive a letter but who finished an adult-education course from April 1, 2007, to June 30, 2009, or who passed a high school equivalency test from Jan. 1, 2001, to June 30, 2009, call the department at (877) 347-5224 for more information.

Contact Olympia Meola at (804) 649-6812 or .