A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards.
The car was recovered, but not the laptop, said Robert Ballinger, deputy director of communications for the department.
Ballinger said all 10,000 people identified in the database have been notified via mail. The computer included names, addresses and phone numbers of members of the boards of well drillers, environmental sanitarians, waterworks and septic inspectors.
The computer and the file were protected with separate passwords, Ballinger said.
"We feel confident that the data on the laptop was unattainable to the person who stole it," he said.
Identity-theft experts said the state made several mistakes in this case, which follows other local data-storage lapses, notably a Department of Natural Resources breach that jeopardized information about 1,433 current and retired agency employees and the loss of computer tapes containing personal records for 135,000 Johns Hopkins employees and patients.
Computers holding sensitive information should never be left in cars, even in locked trunks, which happened in the most recent case, said Linda Foley, founder of the Identity Theft Rescue Center in San Diego.
"Our motto is "Out of sight means out of control," she said.
Data should be encrypted, Foley said, not just protected by passwords. A hard drive can be transferred to an unprotected machine, where it could be accessed without a password.
"There are a lot of programs that can get past passwords," Foley said.
Ballinger said three credit bureaus were notified of the breach and that the department is urging people affected to contact them directly to request a fraud alert for their accounts.
Foley said state officials, rather than notifying the credit bureaus, should have advised those potentially affected by the lost laptop to contact the bureaus, which, she said, often peddle unnecessary products.
"What they should have done is said to these people, 'Contact the three credit report agencies, place a fraud alert on there and renew it again after 90 days,'" she said. "Most people do not know and are not told."
Christine Hansen, a deputy press secretary for Gov. Martin O'Malley, said the governor thinks the department took "the appropriate action."
"They are currently pursuing an investigation," she said. "They are doing everything possible."
The Baltimore Police Department is also investigating, Ballinger said. He would not specify where the car was when it was stolen or when it was found, noting only that it was taken from and found in Baltimore.
Ballinger said the computer was stolen from the personal car of an information technology worker who "was authorized to use the computer outside of the office." He said that by locking the computer in the trunk, the state worker was following department procedures. He would not identify the employee.
At Hopkins, a courier mistakenly left a box of computer tapes containing personal records at the wrong stop. The tapes were probably discarded.
The Department of Natural Resources information was contained on a miniature storage device that was lost by an agency employee.
During the past General Assembly session, lawmakers approved a measure allowing consumers to freeze their credit reports to help prevent identity theft.
Information about the latest MDE breach is available on the department's Web site, www.mde.state.md.us.