Notification: Potential Access to Personally Identifiable Information

The New York State Education Department (NYSED or the Department) discovered a recent data security incident that may have involved the personally identifiable information of certain professional licensure candidates and those who were eligible for certain professional permits.

Please note that no unauthorized access has been confirmed, nor has any unauthorized use of this data been reported to NYSED. The Department is providing this notification out of an abundance of caution.

NYSED took immediate action to remove all access to the information and has since instituted appropriate corrective action to ensure all data NYSED possesses is secure.
    • Which professional licensure candidates are affected by this data security incident?
      • NYSED discovered the insecure transmission of files took place from April 30, 2008 to October 14, 2021. Potentially affected individuals are those:

        • Who met the qualifications to take licensure exams in the professions of certified histological technology, clinical laboratory technicians, clinical laboratory technology, creative arts therapy, cytotechnology, licensed clinical social work, licensed master social work, marriage and family therapy, mental health counseling, and psychoanalysis;

        • A small number of individuals who were eligible for permits in the profession of licensed master social work from July 2019 to 2021; and

        • A small number of individuals who were eligible for permits in the professions of physical therapy and physical therapy assistant in 2021.

        No other professions were affected by this incident.

    • Were applications for exams in professions that are not listed above affected by this incident?
      • No. The only professions that were affected are those:

        • Who met the qualifications to take licensure exams in the professions of certified histological technology, clinical laboratory technicians, clinical laboratory technology, creative arts therapy, cytotechnology, licensed clinical social work, licensed master social work, marriage and family therapy, mental health counseling, and psychoanalysis from April 30, 2008 to October 14, 2021;

        • A small number of individuals who were eligible for permits in the profession of licensed master social work from July 2019 to 2021; and

        • A small number of individuals who were eligible for permits in the professions of physical therapy and physical therapy assistant in 2021.

    • What was the nature of the data security incident?
      • NYSED discovered that personally identifiable information (PII), which was submitted to NYSED in connection with individuals’ eligibility to take certain state licensure exams, was transmitted in a non-secure manner to vendors associated with holding these exams. 

        NYSED discovered the insecure transmission of files from NYSED to vendors took place from April 30, 2008 to October 14, 2021. Files were removed and replaced at the end of each week; thus each file was only available for a one-week period of time at the prescribed URLs. Each test vendor only had access to eligibility information for the exam(s) it administers.

        The information in the transmitted files is believed to contain first and last name, date of birth (or partial date of birth), and social security number. In order to access the files with this information, an individual must have had knowledge of the specific URL location where the files were posted. The affected URLs were only transmitted to the appropriate test vendors and were not accessible on the Department’s website at any time.

    • What is NYSED doing to ensure the data it possesses is secure?
      • Upon discovery, NYSED immediately changed its data-transmission methods for exam eligibility to eliminate the potential for any unauthorized access and has since instituted appropriate corrective actions to ensure all data NYSED uses for exam eligibility is secure.
    • Was personally identifiable information provided to NYSED for other purposes, such as professional license re-registration or fee payment, compromised?
      • No. The only individuals who may have been affected are certain applicants for licensure between April 2008 and October 2021 or those who filed a permit application from 2019 to 2021 in the professions listed above. Information provided for other purposes, such as for re-registration and fee payment, is secure and was not impacted by this security incident.
    • What actions can I take to protect myself from identity theft?
      • There are several actions affected individuals can take to protect themselves from the possibility of identity theft.

        Place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request. A fraud alert should not stop you from using your existing credit cards or other accounts but it may slow down your ability to get new credit. An initial fraud alert is valid for 90 days. To place a fraud alert on your credit reports, contact one of the three major credit reporting agencies at the appropriate number listed below or via their website. One agency will notify the other two on your behalf. You will then receive letters from the agencies with instructions on how to obtain a free copy of your credit report from each.

        Equifax or (888) 766-0008

        Experian or (888) 397-3742

        TransUnion or (800) 680-7289

        Place a security freeze on your credit report. New York residents can also place a security freeze on their credit reports. A security freeze prevents most potential creditors from viewing your credit reports and, therefore, further restricts the opening of unauthorized accounts. For more information on placing a security freeze on your credit reports, please go to the New York Department of State Division of Consumer Protection website.

        Review your credit reports carefully. When you receive a credit report from each credit agency, review the reports carefully. Look for accounts you did not open, inquiries from creditors that you did not initiate, and confirm that your personal information, such as home address and Social Security number, is accurate. If you see anything you do not understand or recognize, call the credit reporting agency at the telephone number on the report. You should also call your local police department and file a report of identity theft. Get and keep a copy of the police report because you may need to give copies to creditors to clear up your records or to access transaction records.

        Even if you do not find signs of fraud on your credit reports, you should remain vigilant in reviewing your credit reports from the three major credit reporting agencies. You may obtain a free copy of your credit report once every 12 months by visiting AnnualCreditReport.com, calling toll-free 877-322-8228 or by completing an Annual Credit Request Form and mailing to:

        Annual Credit Report Request Service

        P.O. Box 105281

        Atlanta, GA 30348-5281

        For more information on identity theft, please visit the following websites:

        New York Department of State Division of Consumer Protection

        NYS Attorney General

        Federal Trade Commission

    • How can I get additional information?
      • If the information you are seeking is in not answered in the Questions and Answers above, please submit a question.

 

Last Updated: November 5, 2021