Clickability tracking pixel

FBI Investigates COVID-19 Patient Data Breach in South Dakota

The state’s Department of Public Safety says some personal patient information within a novel coronavirus database was exposed in June. Officials say financial information, social security numbers were not accessed.

by Siandhara Bonnet, Rapid City Journal / August 24, 2020

(TNS) — South Dakotans with or those who have had COVID-19 may be subject to a data breach that is under federal criminal investigation.

The Department of Public Safety sent out letters dated Aug. 17 to those who may have been affected by a June 19 information breach that targeted the database shared between the Department of Health and law enforcement.

The database was hosted on servers from third-party Netsential.com, Inc., a web development firm used by fusion centers and law enforcement across the nation.

According to the letter the Journal received from a woman from Flandreau, a person’s name, address, date of birth and COVID-19 status may have been accessed.

The woman’s identity is known to the Journal but is being kept anonymous in fear her identity could be stolen.

The letter is signed by DPS director Paul Niedringhaus.

“This information may continue to be available on various Internet sites that link to files from the Netsential breach,” the letter states. “The list did not include any financial information, social security numbers, or Internet passwords of any individuals.”

The woman who sent the letter to the Journal said she thought the letter was going to be a traffic ticket, but is now concerned someone will steal her identity.

“The fact that most people didn't even know that this information was being shared with law enforcement, I feel like this is the first letter that they'll get even knowing that their information was shared,” she said. "I just feel like it's added stress to an already delicate situation" for people who have or recovered from the virus.

The letter states the DPS Fusion Center, using Netsential’s services, developed an online portal to help first responders be safe while responding to calls — they did not receive a list of COVID-19 positive individuals, but could call a dispatcher to find out if someone in the house had the virus.

It also states the information was restricted to “a select number of South Dakota officials who received both training in handling the data and an individual password for accessing it.” If the information was accessed outside the online portal, individual health information wouldn’t be shared.

However, Netsential added labels to the file that could allow a third party to identify a COVID-19 status if it were removed from the system.

“The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further,” DPS public information officer Tony Mangan said.

Those who received the letter are encouraged to take precautions to secure their information and to visit a webpage titled “South Dakota Consumer Protection” from the Office of Attorney General.

The page discusses identity theft, ways information can be accessed and how to keep information secure. It also lists steps to take if someone’s information is accessed in a security breach.

The DPS letter states that under South Dakota law, Netsential should notify those possibly affected by the breach, but has not confirmed it will do so.

The FBI was not immediately available for comment.

©2020 Rapid City Journal, Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs