Your source for news in Hot Springs County
The Wyoming Department of Health (WDH) is announcing a mistaken exposure of laboratory test result data involving the health information of thousands of Wyoming residents and others, as well as describing its plan to respond.
The department became aware of a breach involving protected health information on March 10, 2021. It was discovered a workforce member inappropriately handled the health information of approximately 164,021 Wyoming residents and others as early as November 5, 2020.
The incident involves an unintentional exposure of 53 files containing COVID-19 and influenza test result data and one file containing breath alcohol test results. These files were mistakenly uploaded by a WDH Public Health Division workforce member to private and public online storage locations, known as repositories, on servers belonging to GitHub.com.
GitHub is an internet-based software development platform typically used for version control and code management while writing code for data models. This incident did not result from a compromise of GitHub or its systems. While GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed.
The information was also unintentionally disclosed, meaning it was made available to individuals who were not authorized to receive it, on GitHub’s public site as early as January 8, 2021.
The exposed health information included COVID-19 tests that were electronically reported to the WDH for Wyoming residents, including name or patient id, address, date of birth, test results and dates of service. These COVID-19 tests could have been performed anywhere in the United States between January 2020 to March 2021.
Michael Ceballos, WDH director, said, “While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com.”
“We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help,” Ceballos said.
Ceballos noted the affected files did NOT contain social security numbers, or banking, financial or health insurance information.
WDH started sending notices to potentially affected individuals yesterday. However, contact information was unfortunately incomplete for many others.
A special WDH information line dedicated to the situation has been established at 1(833) 847-5916. The phone line will be available Monday through Friday, 9 a.m. to 7 p.m. through August 6.
Wyoming residents who received COVID-19 or influenza tests anywhere in the United States between January 2020 and March 9, 2021 but who do not receive a written notice within the next two weeks should call the information line to learn if their information was involved. In addition, anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021 who doesn’t receive a letter should also call.
“We recognize maintaining personal information privacy is important. Because we want to be extra cautious about this situation, we are offering affected individuals one year of free identity theft protection through IdentityForce,” said Jeri Hendricks, Office of Privacy, Security and Contracts administrator with WDH.
IdentityForce provides advanced credit and dark web monitoring, along with identity theft insurance and medical identity theft coverage. To take advantage of the offer, affected individuals can call the WDH information line at 1(833) 847-5916 for an IdentityForce verification code to allow online enrollment for the service.
“Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again,” Hendricks said. “Files have been removed from the GitHub repositories and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained.”
Hendricks noted WDH always recommends the following steps to help prevent information-related harm:
· Carefully read medical providers’ notices of privacy practices
·Regularly request and maintain copies of health information
· Monitor health information for accuracy, and request an amendment if incorrect
·Request an accounting of disclosures from medical providers, especially if information is potentially being used or disclosed inappropriately
·If necessary, request restrictions of health information uses and disclosures
Hendricks said appropriate corrective action has been taken and the WDH Office of Privacy, Security and Contract’s (OPSC) investigation of this incident is complete. An official WDH notice about the situation can be found online at https://health.wyo.gov/admin/privacy/.
Fraud reports surface related to WDH information breach
The Wyoming Department of Health (WDH) is warning residents about fraudulent calls from people falsely claiming to represent the department in connection to a recently announced WDH health information breach.
WDH recently described a mistaken exposure of laboratory test result data involving more than 164,000 Wyoming residents and others including hundreds from Colorado. The incident involved COVID-19 and influenza test result data and breath alcohol test result files mistakenly uploaded by an employee to private and public online storage locations on servers belonging to GitHub.com.
Jeri Hendricks, Office of Privacy, Security and Contracts administrator with WDH, said the department is hearing reports of Wyoming residents receiving fraudulent calls from people claiming to represent the department in connection with the breach.“The callers falsely claim to represent us, say they are calling about the breach and then ask the individuals they’ve reached for insurance, Medicare, Medicaid or other financial information. In some instances, it seems they have been able to make it appear as if the calls are coming from state government phone numbers,”
Hendricks said.“No one representing the department will ask you for insurance, Medicare, Medicaid or personal financial information. No one representing the department will call you about the breach unless they are returning a call you made to us first,” Hendricks said.
Hendricks emphasized the affected files did NOT contain social security numbers, or banking, financial, health insurance, Medicare or Medicaid information but did include name or patient id, address, date of birth, test results and dates of service.
A special WDH information line dedicated to the breach has been established at 1(833) 847-5916. The phone line is available Monday through Friday, 9 a.m. to 7 p.m.WDH has advised Wyoming residents who received COVID-19 or influenza tests anywhere in the United States between January 2020 and March 9, 2021 but who do not receive a written notice within the next two weeks to call the information line to learn if their information was involved. In addition, anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021 who doesn’t receive a letter should also call.
A year of free IdentityForce protection has been offered by WDH to people affected by the breach. IdentityForce provides advanced credit and dark web monitoring, along with identity theft insurance and medical identity theft coverage. Affected individuals can call the WDH information line at 1(833) 847-5916 for an IdentityForce verification code to allow online enrollment for the service.
Scams related to the health information breach should be reported to the Consumer Protection Unit in the Wyoming Attorney General’s office by calling 307-777-6397, by emailing ag.consumer@wyo.gov or by submitting formal complaints online.An official WDH notice about the breach can be found online at https://health.wyo.gov/admin/privacy/.
Reader Comments(0)