Baltimore County authorities say they found Social Security numbers and other personal information from more than 12,000 current and former county workers on the computer of a man who used to work for a county information-technology contractor.
The man is in custody in another state and is to be extradited to Maryland to face charges in an unrelated identity-theft case. Police say the hard drive on a personal computer seized by authorities contains information that includes county employees' home addresses, salaries, leave balances and county identification numbers.
On Thursday, county officials sent a letter to employees informing them of the breach but said no personal financial information of any county worker was found on the man's computer.
"At this time, there is no evidence that any employee's information was misused in any way," County Administrative Officer Fred Homan wrote in the letter.
The man is a suspect in an unrelated investigation, but detectives have no evidence that the county employee data found on his hard drive is linked to any identity-theft cases, said Elise Armacost, a county police spokeswoman.
"Our forensics people are still reviewing the contents of the hard drive," she said, adding that the investigation is continuing.
The man, whom Armacost would not name because he had not been charged in the case involving county employee data, worked for a county contractor between December 2011 and July 2012, according to Homan's letter.
The county hired the contractor to move computers around offices, said county spokeswoman Ellen Kobler.
Officials believe the man accessed the information when he was bringing a new computer to a county employee who had downloaded the data to complete work assignments.
The county still has a contract with the company that employed the man. Since 2011, the contract has been held by subsidiaries of World Wide Technology Holding Co. Inc., based in St. Louis, according to the county law office. A representative of the company could not be reached Thursday for comment.
Armacost said police discovered the county employee data while investigating the unrelated identity-theft case.
In July 2012, county police received a complaint from the man's neighbor that he was using fake checks and fake identification to buy things, Armacost said. Police executed a search warrant on his home, seizing the personal computer and other evidence.
The man was indicted by the Baltimore County state's attorney's office in spring 2013 but fled the state and wasn't arrested, she said.
After the man was taken into custody Oct. 15 in another state — county police wouldn't say where — the department's forensics division was reviewing the hard drive and last week discovered the personal information of thousands of current and former employees, Armacost said.
The county is changing security practices, said County Attorney Mike Field.
A "small number of employees" who have passed strict background checks have access to other employees' personal information They were not allowed to download that information onto remote devices such as flash drives and CDs, but were able to download the data to their hard drives. Now, those workers will be barred from downloading personal information onto their hard drives, Field said.
The county's office of information technology will routinely scan all county computers to ensure that personal information is not being stored on them, Homan said in the letter to county employees.