The Trump Era

Labor Department blames data breach for injury reporting site’s shutdown

Labor Secretary Alexander Acosta greets employees. The department has shut down part of a website where companies report employee injuries and deaths, blaming a data breach. Credit: Andrew Harnik/Associated Press

Once again, the nation’s top workplace safety regulator has a message for employers: Don’t send us your injury logs. But rather than bureaucratic red tape, this time, the online filing system is hamstrung by a data breach.

The Labor Department on Wednesday temporarily shut down the website so computer experts can evaluate any security problems. The shutdown was prompted by an alert from the Department of Homeland Security that a company’s information had been compromised, said Kimberly Darby, an agency spokeswoman.

“They are still working on it,” she said in a phone interview Thursday. “We’re hoping it will be up in the next day or so.”

As of today, the site still contains warnings that some pages are unavailable due to technical difficulties.

The injury reporting requirements are intended to encourage employers to improve safety, provide workers with a deeper understanding of risks associated with their workplaces and help Occupational Safety and Health Administration officials prioritize investigations. Industry groups have assailed the new requirements for companies to electronically submit data from their injury and illness logs, arguing that they will force employers to disclose private information.

The Trump administration may overturn the Obama-era requirement, which applies to roughly 450,000 companies. In May, Reveal highlighted how OSHA had failed to post the website even though it had been ready months earlier. The Trump administration then moved the date for employers to comply from July 1 to Dec. 1.

Jordan Barab, the former deputy assistant secretary of OSHA under President Barack Obama, argued in a blog post that the logs companies must submit initially don’t contain employee names or personally identifiable information.

Even some management lawyers agreed.

“It would not be personal information in the classic sense of Social Security numbers or detailed health information,” said Howard Mavity, a management lawyer in Atlanta. “Initial uploads are going to be summaries or injuries and illnesses. I don’t know that it meets the true definition of personal information.”

Nevertheless, he added: “The concern is even if nonessential data was hacked, you’re now on notice that someone got in the system.”

Jennifer Gollan can be reached at Follow her on Twitter: @jennifergollan.

Don't miss the next big story.

Brave investigations that change minds, laws and lives. Emailed directly to you.