Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of MassHire Department of Career Services (May 27, 2025)

May 27, 2025 · MassHire Department of Career Services · Read the full official report on mass.gov ↗

Published May 27, 2025 Audit covers July 1, 2022 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that MassHire’s websites, including JobQuest and career center sites, were not fully accessible, and that MassHire had weaknesses in how it protected sensitive personal information.
source
“The MDCS JobQuest website is not fully accessible for all Massachusetts residents and users.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the MassHire Department of Career Services for July 1, 2022 through June 30, 2023.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the MassHire Department of Career Services (MDCS) for the period July 1, 2022 through June 30, 2023.”
Why was it audited?

Auditors checked whether MassHire’s main website, career center websites, and JobQuest met accessibility rules, and whether MassHire had basic information security practices for sensitive data.

“The purpose of this performance audit was to determine whether MDCS’s website, as well as its career centers and JobQuest websites, adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
Why it matters

These problems matter because people may have trouble using job-search services online, and sensitive personal information may be exposed to avoidable risks.

“Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.”
What's in it for me?

If you use MassHire services, the findings affect whether you can easily access job help online and whether your personal information is protected properly.

“These career centers offer job seekers services and events like career guidance, resume writing, workshops, and trainings.”
The bottom line

MassHire needs to fix website accessibility problems, classify its data and systems, and tighten approval for access to personal information.

“MDCS did not ensure that access to PII stored at the career centers was limited to approved personnel members who have business needs to access it.”
What happens next

MassHire said it is working on modernization, new data governance, accessibility reviews, and better access controls.

“Based on its response, MDCS is taking measures to address our concerns regarding this matter.”
Why it's significant

This report is significant because MassHire serves many job seekers and companies, so website access and data protection affect a large public workforce system.

“In fiscal year 2022, MDCS aided more than 72,000 job seekers (including those seeking unemployment insurance) and supported more than 19,000 companies.”
Jargon, unpacked

PII means personal details that can identify someone, and WCAG is a set of rules meant to make websites usable for people with disabilities.

“PII personally identifiable information”

What the Auditor checked

What the Auditor found

The MDCS website was not fully accessible for all Massachusetts residents and users.
internal controls

Why it matters: The accessibility issues can impair users’ ability to use the website and undermine equitable digital access.

Standard: WCAG 2.1 Success Criterion 1.4.10 Reflow and Success Criterion 3.1.1 Language of a Page. ( WCAG 2.1 Success Criterion 1.4.10 Reflow; WCAG 2.1 Success Criterion 3.1.1 Language of a Page )

3 recommendations
  • MDCS should implement a policy to review its webpages periodically for WCAG 2.1 compliance.
  • MDCS should collaborate with EOTSS to develop a periodic web maintenance schedule for incorrect language tags and improper reflow.
  • MDCS should assign staff to oversee accessibility compliance and website updates.
Agency response & Auditor reply
Agency: "Throughout this modernization, EOLWD/MDCS will collaborate with EOTSS to revise internal policies and procedures to ensure compliance with Web Content Accessibility Guidelines and other Commonwealth standards."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
MDCS career centers’ websites were not fully accessible for all Massachusetts residents and users.
internal controls

Why it matters: Accessibility failures can prevent users from accessing critical information and services, especially users with visual impairments or mobility issues.

Standard: WCAG 2.1 Success Criteria 1.4.10, 2.4.5, 1.4.1, 2.1.1, and 3.3.1. ( WCAG 2.1 Success Criterion 1.4.10 Reflow; WCAG 2.1 Success Criterion 2.4.5 Multiple Ways; WCAG 2.1 Success Criterion 1.4.1 Use of Color; WCAG 2.1 Success Criterion 2.1.1 Keyboard; WCAG 2.1 Success Criterion 3.3.1 Error Identification )

3 recommendations
  • MDCS should implement and enforce a policy for career centers to review webpages periodically for WCAG 2.1 compliance.
  • MDCS should collaborate with EOTSS and career centers to develop a periodic web maintenance schedule.
  • MDCS should require career centers to assign staff to oversee accessibility compliance and website updates.
Agency response & Auditor reply
Agency: "Additionally, MDCS will continue to collaborate with EOTSS and local career centers to support compliance with the latest WCAG standards."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
The MDCS JobQuest website was not fully accessible for all Massachusetts residents and users.
internal controlsvendor oversight

Why it matters: Accessibility failures can limit access to job, training, and workshop information and make the website difficult to use for people relying on assistive technology.

Standard: WCAG 2.1 Success Criteria 1.4.10, 2.4.5, 1.4.1, 2.1.1, 2.1.2, 2.4.1, 2.4.2, 3.1.1, and 3.3.2. ( WCAG 2.1 Success Criterion 2.1.2 No Keyboard Trap; WCAG 2.1 Success Criterion 2.4.1 Bypass Blocks; WCAG 2.1 Success Criterion 2.4.2 Page Titled; WCAG 2.1 Success Criterion 3.3.2 Labels of Instructions )

3 recommendations
  • MDCS should ensure its third-party contractor complies with WCAG 2.1.
  • MDCS should work with the third-party contractor to develop a periodic maintenance schedule for noncompliant JobQuest webpages.
  • MDCS should assign staff to oversee accessibility compliance for all JobQuest webpages.
Agency response & Auditor reply
Agency: "Additionally, MDCS is working with a third-party contractor to develop a plan to align JobQuest with WCAG 2.1."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
MDCS did not have an information classification policy and did not classify its data.
data privacycybersecurityinternal controls

Why it matters: Without data classification, sensitive data may be more vulnerable to unauthorized access, theft, misuse, legal liabilities, regulatory violations, and reputational damage.

Standard: EOTSS Information Asset Management Standard IS.004, Section 6.2. ( EOTSS Information Asset Management Standard IS.004, Section 6.2 )

2 recommendations
  • MDCS should develop and implement an information classification policy that complies with IS.004 and assigns an information custodian.
  • MDCS should conduct a data inventory and classification assessment based on sensitivity, criticality, and regulatory requirements.
Agency response & Auditor reply
Agency: "EOLWD is in the process of developing a comprehensive data framework and related governance strategy that will apply to all MDCS data."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
MDCS did not perform a business impact analysis or risk assessment to classify its information systems.
cybersecurityinternal controls

Why it matters: Without system classification, MDCS may not properly protect vital systems or prioritize IT resources during emergencies.

Standard: EOTSS Asset Management Standard IS.004, Section 6.6.2. ( EOTSS Asset Management Standard IS.004, Section 6.6.2 )

2 recommendations
  • MDCS should implement a policy to periodically conduct a business impact analysis or risk assessment to classify information systems.
  • MDCS should review information system classifications annually or when significant system changes occur.
Agency response & Auditor reply
Agency: "This will include a related business impact analysis and risk assessment."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
MDCS did not ensure that access to PII in its centralized database was limited to approved users with a business need.
data privacycybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Unauthorized or undocumented access to PII increases the risk of data breaches, identity theft, reputational damage, and legal liability.

Standard: EOTSS Asset Management Standard IS.004, Section 6.2.1. ( EOTSS Asset Management Standard IS.004, Section 6.2.1; EOTSS Asset Management Standard IS.004, Section 6.2.1.1 )

4 recommendations
  • MDCS should ensure every user requiring access to PII in the centralized database has their business need reviewed and approved before access is granted.
  • MDCS should implement role-based access aligned with least privilege.
  • MDCS should periodically review current users’ access to determine whether they have appropriate approval.
  • MDCS should have users hired before fiscal year 2014 resubmit database access forms electronically.
Agency response & Auditor reply
Agency: "MDCS will review user access to ensure that all users have formal authorization to access the database; as part of a comprehensive policy review built into the new system, MDCS intends to build in an automated annual review process."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."
MDCS did not ensure that access to PII stored at career centers was limited to approved users with a business need.
data privacycybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Unapproved access to PII stored outside the centralized database increases risks of data breaches, identity theft, reputational damage, and legal liability.

Standard: EOTSS Asset Management Standard IS.004, Section 6.2.1. ( EOTSS Asset Management Standard IS.004, Section 6.2.1; EOTSS Asset Management Standard IS.004, Section 6.2.1.1 )

3 recommendations
  • MDCS should implement a strict access control policy requiring formal approval before granting access to PII stored outside the centralized database.
  • MDCS should implement role-based access aligned with least privilege.
  • MDCS should ensure career centers periodically review current users’ access for appropriate approval.
Agency response & Auditor reply
Agency: "As part of system modernization, MDCS will implement a multi-tiered authorized access management system based on necessary functions, including a periodic review of user access to determine whether these users have the appropriate approval."
Auditor: "Based on its response, MDCS is taking measures to address our concerns regarding this matter."