When a thief rang up $2,000 in charges at Victoria’s Secret, Gymboree and Gap on Rosa Franco’s credit card, she quickly surmised the reason – the state of California had mistakenly left her credit card and Social Security numbers exposed.

Twice.

The state Department of Developmental Services, which serves Franco’s 5-year-old daughter and thousands of others with disabilities, had in March 2012 left stacks of billing and patient records in an abandoned, unsecured office. In another case, an employee in November left his unencrypted computer in his unlocked car overnight. The computer and more than 18,100 patient records disappeared.

“They send you a letter saying, ‘Oh, I’m sorry, oops, your information is lost!’ ” said Franco, 46, who lives in Los Angeles with her husband and daughter, who has Down syndrome.

“Thousands of people got that letter,” she said. “It’s unfair. We already have enough stress with our kids being special needs. Now I have to watch my daughter’s Social Security number.”

The security breach was one of thousands reported by state agencies over the past decade, the result of hacking, employee carelessness and theft. In 2012 alone, 16 state agencies and affiliated nonprofits reported major data breaches, according to state data reviewed by The Center for Investigative Reporting.

Despite numerous laws and state policies aimed at protecting privacy, consumer information represents easy pickings for hackers and thieves. State agencies frequently fail to protect the confidentiality of patients and consumers, including those who are the most vulnerable to fraud and identity theft – children, the elderly and the disabled.

Nearly 10 years of state-collected data on computer security incidents involving confidential and private information reveals state agencies do not always encrypt computers, even when they contain confidential information affecting thousands of people. Of the 283 computers and phones containing confidential information that were reported lost and stolen, 25 percent were not encrypted.

In some cases, employee carelessness, not hacking, leads to security breaches. In 1,646 cases since 2003, confidential information was released after state employees lost equipment and documents or mailed and posted private information to the wrong place, according to a state database of preliminary reports.

About one-third of cyberbreaches are successful, according to the database. Agencies reported 49 out of 154 computer viruses, denial-of-service attacks and hacking attempts breached security. On several occasions, computers were disconnected from the network and destroyed after being infected with malware.

Michele Robinson, acting director of the state’s Office of Information Security, said the agency tries to continually train and instruct information technology staff across the state to protect and encrypt sensitive information.

“Obviously, we’ve seen incidents where they have not done that,” she said. “From our perspective, one of those is one too many.”

The cases run the gamut, from employee error to hack attacks to poor information security practices.

In little more than two years, for example, the Department of Motor Vehicles has mailed the wrong driver’s license or vehicle registration to more than 1,000 people, according to internal records. Last year, a courier left the keys in the ignition as he delivered a package and 283 Social Security numbers and driver’s licenses were stolen.

In April 2012, a thief stole an unencrypted computer from a state Department of Public Health service provider in Palm Springs that contained confidential information on 4,400 patients with AIDS. A month later, a package containing Social Security numbers for 748,902 elderly home care recipients and their caretakers was stolen en route to a state insurance office.

In November, the Department of Health Care Services accidentally posted 14,000 Social Security numbers for in-home care workers online. Nine days later, employees realized their mistake and took down the list. But workers were alarmed to find the information easily on Google.

Encryption has been a required state practice for years. A memo in 2008 from the Office of Information Security and Privacy Protection reminded state agencies to encrypt all devices containing confidential information, a requirement long outlined in the State Administrative Manual. Yet many agencies have not followed the procedure, allowing electronic information to fall into harm’s way.

“We definitely need to find out how rampant this situation is and rectify the situation as soon as possible,” said Assemblyman Ed Chau, D-Monterey Park, chairman of the Assembly’s Select Committee on Privacy. “Building a firewall to safeguard information is crucial.”

Without encryption, anyone can override a computer’s password and gain access to its confidential contents by removing the computer’s hard drive, using software or guessing. Technology experts say encryption is an easy procedure for any information technology department.

“People don’t realize that passwords are quite trivial,” said Seth Schoen, a senior staff technologist for the Electronic Frontier Foundation. “They should encrypt their data storage on every device. In the absence of that, whoever gets the device will be able to read it.”

By law, the California Highway Patrol is required to take reports on each security incident and investigate crimes involving state computers or those that are on state property. But Sgt. Kelly Dixon, an investigator in the Computer Crimes Investigation Unit, said limited resources make it impossible for the unit to investigate every crime.

“Theoretically speaking, we would be responsible,” he said. “Practically speaking, the local agency would come and take the report. We’re not going to investigate a vehicle burglary.”

Records show many agencies do not always send out notification letters immediately after security breaches, despite California’s first-in-the-nation law requiring businesses and state agencies to notify anyone whose unencrypted private information might have been accessed by outsiders.

Breaches involving theft of equipment are rarely investigated or lead to an arrest.

Last September, a Highway Patrol officer was shopping at a Sacramento Barnes & Noble when a thief broke into the trunk of his personal car, according to a state property report. The loot included a Highway Patrol-issued.40-caliber Smith & Wesson pistol, three .40-caliber high-capacity magazines and the officer’s unencrypted laptop containing confidential information, according to the database.

The officer called the Sacramento Police Department to make a report; no arrest was made.

In the case of the Department of Developmental Services records, a supervisor of a program for developmentally disabled infants and toddlers at the North Los Angeles County Regional Center had left his work laptop, personal laptop and iPhone in his car overnight on a street in Santa Monica, according to a police report. When he returned in the morning, the items were gone.

Although the state supervisor reported the thefts to the Santa Monica Police Department, the case never was investigated. Santa Monica police Sgt. Richard Lewis said the employee did not call police to collect evidence but dropped off a report he filled out himself, which meant the case would not be examined.

“I guarantee this case was never looked at,” he said, adding that the man did not identify himself as a state employee. “If we know it’s state property, we do a full-blown report.”

The Department of Developmental Services did not report the incident to the Highway Patrol or notify affected patients until two months later.

Nancy Lungren, the department’s assistant director of communications, could not explain the delay but said the regional center “has been reminded of their responsibility to submit timely reports on these type of security incidents.”

Shoshana Walter

Shoshana Walter is a reporter for Reveal, covering criminal justice. She and reporter Amy Julia Harris exposed how courts across the country are sending defendants to rehabs that are little more than lucrative work camps for private industry. Their work was a finalist for the 2018 Pulitzer Prize in national reporting. It also won the Knight Award for Public Service, a Sigma Delta Chi Award for investigative reporting, and an Edward R. Murrow Award, and was a finalist for the Selden Ring, IRE and Livingston Awards. It led to numerous government investigations, two criminal probes and five federal class-action lawsuits alleging slavery, labor violations and fraud.

Walter's investigation on America's armed security guard industry revealed how armed guard licenses have been handed out to people with histories of violence, even people barred by courts from owning guns. Walter and reporter Ryan Gabrielson won the 2015 Livingston Award for Young Journalists for national reporting based on the series, which prompted new laws and an overhaul of California’s regulatory system. For her 2016 investigation about the plight of "trimmigrants," marijuana workers in California's Emerald Triangle, Walter embedded herself in illegal mountain grows and farms. There, she encountered an epidemic of sex abuse and human trafficking in the industry – and a criminal justice system focused more on the illegal drugs. The story prompted legislation, a criminal investigation and grass-roots efforts by the community, including the founding of a worker hotline and safe house.

Walter began her career as a police reporter for The Ledger in Lakeland, Florida, and previously covered violent crime and the politics of policing in Oakland, California, for The Bay Citizen. Her narrative nonfiction as a local reporter garnered a national Sigma Delta Chi Award and a Gold Medal for Public Service from the Florida Society of News Editors. A graduate of Mount Holyoke College, she has been a Dart Center Ochberg fellow for journalism and trauma at the Columbia University Graduate School of Journalism and a John Jay/Harry Frank Guggenheim fellow in criminal justice journalism. She is based in Reveal's Emeryville, California, office.