The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce.
On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021.
In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related to tests performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021.
“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said WDH Director Michael Ceballos. “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”
The files have been removed from GitHub and GitHub has confirmed that the files have been removed from its servers. WDH has taken steps to prevent similar exposures of protected health information in the future, including prohibiting the use of GitHub and other public repositories and retraining its workforce.
While no Social Security numbers, financial information, or health insurance information was involved, out of an abundance of caution, WDH has offered affected individuals complimentary identity theft protection services through IdentityForce, which includes advanced credit and dark web monitoring and an identity theft insurance policy.
This is the second GitHub-related breach to be announced in the past few weeks. Earlier this month, Med-Data confirmed that the protected health information of patients of some of its clients had been accidentally uploaded to GitHub repositories and an investigation by researcher Jelle Ursem and databreaches.net in 2020 identified many cases where healthcare data had been exposed on the platform.
The post Wyoming Department of Health Announces GitHub Data Breach Affecting 164,000 Individuals appeared first on HIPAA Journal.