HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Personal and COVID-19 Status Data Stolen from South Dakota Fusion Center in “BlueLeaks” Hacking Incident

The Houston, TX-based web developer Netsential had its web servers hacked and almost 270 gigabytes of data were stolen and was published online on June 19, 2020 by hacktivists and the data stolen was published by Distributed Denial of Secrets (DDoSecrets).  The hack and data leak incident was termed “BlueLeaks” and included 10 years of law enforcement data from around 200 police departments and fusion centers. Fusion centers gather and analyze threat information and share the data with states, government organizations, and private sector firms. The leaked data contained more than 1 million lines and included scanned documents, video and audio files, and emails.

The South Dakota Department of Public Safety’s State Fusion Center has recently announced that it has also been impacted by the data breach. The South Dakota Fusion Center developed a secure online portal in the spring of 2020 using Netsential’s services. The portal was developed to allow first responders to identify COVID-19 positive individuals so they would be able to take extra precautions to avoid being infected when responding to incidents. Data about infected individuals were not provided directly to first responders, instead they could call a dispatcher who would verify whether a particular individual was COVID-19 positive through the secure online portal.

The portal had appropriate security controls in place and only a limited number of trained South Dakota officials were granted access to the portal, which was housed on Netsential’s secure web servers. Security measures had also been implemented to ensure that in the event of an unauthorized individual gaining access to the data file separately from the online portal, it would not be possible to access individual health information.

However, Netsential added labels to the file which inadvertently allowed the information of individuals to be accessed in the event of the file being removed from Netsential’s systems. That file was stolen in the BlueLeaks attack and, as a result of Netsential’s security failure, the names, addresses, dates of birth, and COVID-19 statuses of an undisclosed number of individuals was accessible to the hackers. Affected individuals are now being notified.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.