Please ensure Javascript is enabled for purposes of website accessibility

Audit: St. Mary’s College didn’t protect data

Maryland state auditors say St. Mary’s College of Maryland didn’t adequately protect sensitive personal information belonging to some students and employees and monitor some vendor payments closely enough.

St. Mary's College of Maryland. (File)

St. Mary’s College of Maryland. (File)

The public college also overpaid a retiring employee by about $10,000 after improperly calculating the employee’s accumulated personal leave time, according to a report released Thursday by the Office of Legislative Audits.

The college paid the employee $38,118 for unused leave, including 564 hours carried forward from previous years. College officials were unaware that the person – who was employed by another state agency but assigned to work at St. Mary’s – was subject to a state law allowing only 400 hours of leave to be carried over from previous years, according to the report.

But even if the college had followed its own, more restrictive policy about carrying over leave time, the overpayment would have been even higher – $26,621, according to the report.

St. Mary’s officials told auditors they didn’t intend to try to recover the overpayment, but the Office of the Attorney General has agreed to consider possible recovery, according to the report.

In its written response to the audit, St. Mary’s pledged to calculate future leave payouts according to the college policy, make sure the number of allowed hours is not exceeded and work with the Office of the Attorney General on any follow-up action he office feels is appropriate.

The routine fiscal compliance audit covered the period from July 1, 2012, to Aug. 23, 2015.

Auditors also found that as of January 2016, personal information such as names, Social Security numbers and dates of birth for 117,194 students and employees was stored in clear text on a college database – leaving it at risk for identity theft.

The college has agreed to implement auditors’ recommendations, such as deleting unneeded personal information and making sure information is protected through encryption or other safeguards, by January 2017.

In response to other auditor’s findings, St. Mary’s also agreed to strengthen its computer systems’ protections against malware and more closely monitor the security of its databases.

Auditors also found that the college was not properly verifying the invoices from its food services vendor, to which it paid $4.2 million in 2015.

The college agreed to begin conducting bi-weekly verifications of the vendor’s charges by October, according to its written response to auditors.

Founded in 1840, the four-year, liberal arts college is a public institution but is not part of the University System of Maryland. In the fall 2015 semester, a total of 1,773 students were enrolled, according to the audit.