Federal contractors who handled the personal information of thousands of soldiers, Army civilians and their families involved in an Army-wide child-care subsidy program did so before completing background checks or privacy training, an investigation found.
Facing a backlog of roughly 6,500 emails and phone messages about a year after taking over administration of the Army Family Assistance program, the General Services Administration hired 20 additional contractors to assist, according to a report released Monday by the GSA inspector general's office.
GSA officials allowed the contractors to begin work without undergoing an initial background check, granting them access to a system that includes "birth certificates of Army children, tax returns (IRS Form 1040s), leave and earnings statements, school schedules of spouses, locations of childcare providers, and times when children were in childcare," according to the report.
The Office of Personnel Management, which runs most federal background checks, eventually flagged three of the 20 new hires. Two were removed from their duties, the report says, and the third left before the investigation concluded.
"Once the vulnerability was discovered, GSA immediately put into action a corrective plan, including offering free credit monitoring to the affected families," GSA spokeswoman Jackeline Stewart said in an emailed statement. "The agency has begun to address the IG's findings by assessing and revising its internal approval processes and policies, and locking contractor access to sensitive information until individuals are fully vetted and cleared."
The AFA program offers child-care subsidies to active-duty soldiers, Army civilians, survivors of fallen soldiers and others, including some National Guard and Reserve members, for off-post locations when on-post care isn't available. GSA had administered the subsidy for about 200 Army families who used off-post federal child care, but took over 9,000 more families in 2014, the report states.
Investigators found no evidence that any data had been stolen or used inappropriately by the three former contractors or any others, IG spokeswoman Sarah Breen said Wednesday; the IG began the investigation in response to concerns over the backlog. The office plans a follow-up report in the coming months, Breen said, which would be followed by a GSA response, likely outlining program changes and accountability measures.
In addition to skipping background checks, the report found the contractors didn't have the proper privacy and security training for their positions. The inspector general received a complaint from a program member who said by providing an "old identification number" to the program's help desk, they received the names of their children, the location of schools and child-care providers, and "other personal information."
The GSA also allowed contractors to access information without signing mandatory nondisclosure agreements, according to the report, which noted that the agency couldn't provide NDAs for seven of the workers, including the three individuals flagged during background checks.
Some contractors also were allowed to telework while accessing sensitive personal information — an action that violates program data-security policy, the report states.
A spokesman for Army Installation Management Command, which oversees the AFA program, did not immediately respond to a request for comment.
Kevin Lilley is the features editor of Military Times.
