EOPSS - Finding 1

The Executive Office of Public Safety and Security (EOPSS) did not ensure that the Provider Sexual Crime Report (PSCR) forms and data in the PSCR master database records did not contain personally identifiable information (PII).

Of the 35 PSCR master database records we reviewed for address information, we found that 11 contained the home address of a survivor of sexual assault within the case files at the Massachusetts State Police Crime Laboratory (MSPCL). In addition, of the 14 full names identified within the PSCR data, we found that 5 were documented as being a direct relative of a survivor in the MSPCL case files.

The lack of proper review of the PSCR forms and subsequent data has created a threat to privacy and confidentiality for survivors of sexual assault. 

According to Section 12A1/2 of Chapter 112 of the Massachusetts General Laws,

Every physician attending, treating, or examining a victim of rape or sexual assault, or, whenever any such case is treated in a hospital, sanatorium or other institution, the manager, superintendent or other person in charge thereof, shall report such case at once to the department of criminal justice information services and to the police of the town where the rape or sexual assault occurred but shall not include the victim’s name, address, or any other identifying information. The report shall describe the general area where the attack occurred.

EOPSS told us that nurses at medical facilities incorrectly record certain survivor information in the Provider Sexual Crime Report. The Office of Grants and Research’s (OGR’s) analysts enter all of the information contained within the report into the master database.

1. EOPSS should review its PSCR master database for any PII. In instances where PII is found, the associated PSCR form should be redacted.
2. EOPSS should establish processes and controls to periodically review its PSCR master database to ensure that there is no PII present within its data.
3. EOPSS should communicate to medical facilities that survivors’ confidential information is not to be included in any capacity within the PSCR form.
4. EOPSS should provide training to OGR employees to ensure that they know not to include PII when entering data into the master database.

Section 12A1/2 of Chapter 112 of the General Laws requires medical providers to complete reports, referred to as PSCR forms, and, in doing so, to refrain from including personally identifiable information (PII). Those forms are, in turn, sent to OGR for inclusion in a PSCR master database, which is not publicly accessible. In other words, OGR staff transcribes the information in the records into a master internal PSCR database.

Unfortunately, in 11 out of the 35 records you reviewed for address information, providers had included the home address of a survivor of sexual assault, and this information was then entered into the database. As noted above, this information was never at any point accessible to the public.

While neither EOPSS nor OGR staff can redact PSCR forms, which are submitted by the medical providers, EOPSS has updated its Policy Manual to make clear that, irrespective of a provider’s compliance with the law, and even though the database is not publicly accessible, OGR staff must omit any PII from the PSCR database when they transcribe information from PSCR forms.

To the best of its ability, EOPSS has educated, and will continue to educate, medical providers and staff on their statutory obligations concerning PII. EOPSS does monitor and audit its PSCR database and will continue to do so.

While the PSCR master database data may not be publicly accessible, including names or addresses that could be associated with survivors or perpetrators of sexual assault in the PSCR master database poses a security risk to these individuals in the event of a data breach.

Based on EOPSS’s response, it is taking measures to address our concerns regarding this matter.