This page, Middlesex County District Attorney’s Office - Finding 1, is offered by
Office of the State Auditor

Middlesex County District Attorney’s Office - Finding 1

The Middlesex County District Attorney’s Office did not promptly revoke former employees’ access rights within the statewide sexual assault evidence collection kit tracking system and did not complete certain data fields in the system.

Skip table of contents

You skipped the table of contents section.

Overview

During the audit period, the Middlesex County District Attorney’s Office (MDAO) did not promptly revoke former employees’ access rights to the Track-Kit system. Specifically, of the 21 active user accounts for the Track-Kit system, 7 of these users were former employees. Additionally, MDAO did not complete certain data fields (i.e., the assignment of MDAO’s contact information in the system), despite this being part of the office’s role within the Track-Kit system, as defined by the system’s user manuals.

If MDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information. Additionally, if MDAO does not assign its contact information to SAECKs, then the Track-Kit System is not being used as intended under statute. Having MDAO contact information assigned to SAECKs allows survivors to have an informed single point of contact and can streamline outreach and reduce confusion.

Authoritative Guidance

Section 18X(g) of Chapter 6A of the General Laws states, “District attorney offices shall participate in the statewide sexual assault evidence kit tracking system established in this section for the purpose of tracking the status of all sexual assault evidence kits.”

The Track-Kit User Manual states that the role of the prosecuting attorney includes the following:

Review cases referred by law enforcement, if enabled.
Assign [MDAO contact information] to a kit.
Performing searches for kits available in the prosecuting attorney’s jurisdiction.

The Executive Office of Public Safety and Security’s (EOPSS’s) “Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking,” dated January 2020, requires district attorneys’ offices to develop the following:

A policy to authorize access for new users of the system and to remove authorization from users who no longer require access, including users who have ended their employment, have been suspended, or terminated.

Further, Section 6.1.6. of the Executive Office of Technology Services and Security’s (EOTSS’s) Access Management Standard IS.003, dated July 15, 2020, states that access privileges should be removed “upon a transfer, termination or other significant change to a user’s employment status or role.”

Reason for Issue

MDAO did not have documented policies and procedures regarding the use of the Track-Kit system or the revocation of user access to the Track-Kit system upon termination of a user’s employment.

Recommendations

MDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use this system.
MDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users. These policies and procedures should include periodic access reviews at least semiannually to ensure that users’ access rights are limited to their job requirements.

Auditee’s Response

As of February 3, 2025, all access has been revoked for users who have either ended employment or no longer require access. That information was communicated to the Audit team at that time.
It is important to note that Track-Kit does not contain survivor-identifying information. User logs were provided to the Auditor’s Office, which demonstrated that none of the former employees whose access was not previously revoked, accessed the system after separation. Thus, there was no improper access of case information.
The Middlesex District Attorney’s Office has implemented a policy informing employees with access to the Track-Kit system of the requirement to enter contact information.¹ The policy includes a semiannual review, to be conducted by the Director of Information Technology, to ensure that only users who require access for their job requirements have authorized access to the Track-Kit system.
We have been informed that EOPSS is developing a technical training and we remain open to accepting any further guidance.
[Footnote:]
1. All requested data has already been input into the Track-Kit System. On September 3, 2025, the Track-Kit system help desk advised [MDAO] that there was an error in the system that cut off some data from older kits which made it not possible to enter [assistant district attorney] and [victim witness advocate] information. This issue has been reported to the system administrator. Thus, we are presently in full compliance.

Auditor’s Reply

Based on its response, MDAO has taken measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.

Date published:	December 19, 2025

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.