164K Wyoming Residents Exposed in Public Health Breach

According to a statement issued Tuesday by the Wyoming Department of Health, files were mistakenly uploaded by an official to private and public online repositories on servers belonging to GitHub.com.

Data privacy concept
(TNS) — The Wyoming Department of Health announced Tuesday that thousands of state residents had their personal information, including names, addresses and dates of birth, exposed through an online server containing COVID-19, influenza and breath alcohol test results. Department officials emphasized that the breached data did not include any Social Security numbers or banking, financial or health insurance information.

In early March, department officials became aware of a breach involving residents' protected information, in which an official in the department's Public Health Division inappropriately handled the health information of 164,021 Wyoming residents, or more than a quarter of the state's overall population, starting as early as Nov. 5, 2020.

The exposed information included 53 files containing COVID-19 and flu test result data, along with a single file containing breath alcohol test results. Department of Health spokeswoman Kim Deti told the Wyoming Tribune Eagle on Tuesday afternoon that officials were "aware (the data) was downloaded; we have no information on whether it was misused."

According to a statement issued Tuesday by the state Department of Health, those files were mistakenly uploaded by the official to private and public online repositories on servers belonging to GitHub.com, a software development and code hosting website. The department emphasized that the incident "did not result from a compromise of GitHub or its systems."

"While GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed," reads the department's statement. "The information was also unintentionally disclosed, meaning it was made available to individuals who were not authorized to receive it, on GitHub's public site as early as January 8, 2021."

The exposed health information came from COVID-19 tests that could have been performed anywhere in the U.S. between January 2020 and March of this year, and it included names, addresses, dates of birth, test results and dates of service. The breath alcohol test results also included residents' driver's license or state-issued identification numbers.

Following the incident, one individual is no longer employed at the Wyoming Department of Health, Deti said.

"There were two employees involved; one indirectly and one directly," Deti said in an email. "One is no longer employed by the department and one is still employed."

The department "only intended to use this software for code storage and maintenance, not to maintain files containing health information," according to a departmental notice released Tuesday. In an email, Deti said "GitHub was used in this situation, but it would be inaccurate to describe it as a typical or common practice" used by the department.

Department of Health Director Michael Ceballos apologized for the incident in a statement, emphasizing the exposed files did not include social security numbers or any financial or health insurance information.

"While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com," Ceballos said in the statement. "We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help."

The department began notifying Wyoming residents affected by the breach Monday, and all notices will be mailed by May 7, according to the state Department of Health. However, contact information was incomplete for many who had their information exposed. Deti was unable to give an estimate of how many people whose data was breached lacked contact information.

A special information line dedicated to the situation has been created and can be reached by calling 1-833-847-5916. The phone line will be available Monday through Friday, 9 a.m. to 7 p.m., through Aug. 6.

Wyoming residents who received COVID-19 or influenza tests between January 2020 and March 9, 2021 and do not receive a written notice within the next two weeks should call the information line to learn if their information was involved, according to the department. Additionally, anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and Jan. 27, 2021 who doesn't receive a letter should also call the number.

"We recognize maintaining personal information privacy is important. Because we want to be extra cautious about this situation, we are offering affected individuals one year of free identity theft protection through IdentityForce," Jeri Hendricks, administrator of the department's Office of Privacy, Security and Contracts, said in a statement.

IdentityForce offers identity theft insurance and medical identity theft coverage, as well as advanced credit and dark-web monitoring for its customers. Affected individuals who wish to use the service can call the department's information line at 1-833-847-5916 for an IdentityForce verification code to allow online enrollment for it.

"Because we are committed to the privacy and security of individuals' protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again," Hendricks said. "Files have been removed from the GitHub repositories and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained."

Hendricks said appropriate corrective action has been taken and his office's investigation of the incident is complete. An official WDH notice about the situation can be found online at https://health.wyo.gov/admin/privacy/.

©2021 Wyoming Tribune-Eagle, Distributed by Tribune Content Agency, LLC.