Laboratory test results, including for coronavirus, on an estimated 164,000 people have accidently been made available online by a member of Wyoming’s Department of Health (WDH).
The incident involves exposure of 53 files containing Covid-19 and influenza test results and one file containing breath alcohol test results.
The department is aware the data was downloaded, but has no information on whether it was misused, a spokeswoman was reported as saying by the Wyoming Tribune Eagle newspaper.
The files were mistakenly uploaded by an employee of the public health division to private and public online storage repositories on servers belonging to GitHub.com, a software development platform usually used for version control and code management while writing code for data models.
“While GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed,” the department said.
It was available to individuals not authorised to receive it on GitHub’s public site from 8 January to 10 March, when the department became aware of a data breach.
The exposed information included Covid-19 tests electronically reported to the WDH for Wyoming residents, including name or patient ID, address, date of birth, results of Covid-19 tests electronically reported to the WDH for Wyoming residents and dates of service.
The department went public about the incident this week, with director Michael Ceballos saying: “While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com.
“We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”
He emphasised the files did not contain social security numbers, or banking, financial or health insurance information.
The WDH began sending notices to potentially affected individuals on 26 April. It is offering them one year of free identity theft protection.
The files have been removed from GitHub’s repositories and GitHub has destroyed any dangling data from its servers, said Jeri Hendricks, administrator of the department’s office of privacy, security and contracts.
The exposed Covid-19 and flu test results cover from 5 November last year to 10 March, and the breath alcohol test results between 19 April 2012 and 27 January 2021.
Register to receive the latest data protection and privacy news and analysis straight to your inbox
No comments yet