DHS: Emails potentially lost due to encryption snafu total 432,000

The Iowa Department of Human Services says it lost as many as 432,000 emails that were encrypted and rendered unreadable after a change in software.

As the Iowa Capital Dispatch reported last week, an attorney with the law office of Roxanne Conlin recently deposed an information technology worker for DHS in an effort to find out why emails the agency had turned over during litigation were encrypted, displaying nothing but lines of seemingly randomized characters.

The tech testified that agency emails were encrypted from 2017 to 2018 using software called Virtru. The software automatically encrypted any emails, within the entire DHS system, that happened to include one of roughly 120,000 predefined words that would suggest the contents dealt with confidential matters, such as child abuse. The recipients of those emails received a code to decrypt the emails and make them readable. In 2018, after DHS switched encryption programs, DHS lost the ability to decrypt and read the emails.

DHS officials said Friday that about 432,000 emails were affected by the change.

According to the testimony of the tech, DHS has been able to decrypt about 10% of the emails processed by Virtru, but fewer than half of that subset of emails can be decrypted without errors that could potentially alter the meaning of the communications.

Department spokesman Alex Carfrae said Friday that in December 2016, the department transitioned from Microsoft Outlook for email to Google Mail, a process that included the adoption of the Virtru software. About 18 months later, in June 2018, DHS switched back to Microsoft Outlook. At that point, Carfrae said, DHS believed that it would maintain the ability to decrypt the Virtru emails for another 12 months – but “after several successful decryptions of emails, the ability to do so stopped working.”

He said DHS “maintains contact” with Iowa’s Office of the Chief Information Officer regarding that issue, but he did not elaborate. He said DHS’ email system is not “the system of record for child-welfare cases” and so those cases are not affected by the loss of any emails.

He noted that a commission that deals with record retention has recommended that DHS retain emails for only one year, although agency policy is to retain emails for three years. All of the encrypted emails now fall outside that three-year window and would be purged anyway, he said, except for those involving DHS leadership and those for which destruction has been placed on hold due to litigation.

Carfrae did not respond to questions about the encryption issue’s impact on DHS’ ability to respond to Open Records Law requests, subpoenas for information and discovery requests made in civil court.

The lawsuit that led to the disclosure of the encryption problem involves Alyson Rasmusson of Marshalltown. She alleges that in 2017, she ran an in-home day care service and was wrongly blamed by DHS for injuries sustained by one of the children in her care.

She alleges the child’s mother repeatedly told investigators the child appeared to have been injured at home by the family’s dog, but that DHS investigators said they were under pressure from their superiors to find someone to blame.

DHS allegedly offered to alter its findings of abuse if Rasmusson would sign a form agreeing not to sue the state for its actions. She refused, and one day before the appeal hearing, DHS changed its findings to “perpetrator unknown.”