The Wyoming Department of Health (WDH) has admitted it “unintentionally disclosed” Covid-19, flu, and breath alcohol test result data belonging to 164,000 individuals for two months.
According to a breach alert (PDF) issued on Tuesday (April 27), an employee of the WDH’s public health division “mistakenly uploaded” 53 files containing coronavirus and influenza test result data and one file comprising breath alcohol test results to GitHub, the software development platform.
The laboratory data, which was then publicly exposed on public repositories intended for “code storage and maintenance”, included individuals’ names or patient IDs, postal addresses, dates of birth, test results, and dates of service.
The WDH said the data did not include Social Security numbers or any banking, financial, or health insurance information.
The exposed information pertains to Covid-19 and influenza tests performed anywhere in the US between January 2020 and March 2021, and breath alcohol tests conducted by law enforcement in Wyoming between April 19, 2012, and January 27, 2021.
Data leak timeline
The Covid-19 and flu data was uploaded to GitHub on November 5, 2020, and “unintentionally disclosed” on public repositories from January 8, 2021.
Breath alcohol test result data was then publicly exposed on March 9.
The WDH said it became aware of the breach on March 10 and immediately removed the files from GitHub.
Microsoft-owned GitHub was not at fault, said the WDH.
“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said Michael Ceballos, director of WDH.
“We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help,” he added.
Remedial actions
In a separate statement, Jeri Hendricks, privacy and security administrator at the WDH’s Office of Privacy, Security and Contracts, said: “GitHub has destroyed any dangling data from their servers.
“Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained.”
The employee responsible has been “sanctioned”, according to the breach alert.
The WDH said it started alerting affected individuals on April 26 and would mail all such notices by May 7.
However, around 18,000 and 25,000 individuals respectively affected by the breath alcohol and Covid-19/influenza test breaches cannot be contacted due to “insufficient contact information”.
A dedicated phone line has been set up to help anyone ascertain whether their personal data was involved, and affected individuals have been offered a free one-year subscription to an identity theft protection service.