Share this article on:
The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce.
On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021.
In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related to tests performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021.
“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said WDH Director Michael Ceballos. “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”
The files have been removed from GitHub and GitHub has confirmed that the files have been removed from its servers. WDH has taken steps to prevent similar exposures of protected health information in the future, including prohibiting the use of GitHub and other public repositories and retraining its workforce.
While no Social Security numbers, financial information, or health insurance information was involved, out of an abundance of caution, WDH has offered affected individuals complimentary identity theft protection services through IdentityForce, which includes advanced credit and dark web monitoring and an identity theft insurance policy.
This is the second GitHub-related breach to be announced in the past few weeks. Earlier this month, Med-Data confirmed that the protected health information of patients of some of its clients had been accidentally uploaded to GitHub repositories and an investigation by researcher Jelle Ursem and databreaches.net in 2020 identified many cases where healthcare data had been exposed on the platform.
Wyomingites Targeted in Telephone Phishing Scam
1/4 of Wyomingites have been affected by this breach and scammers have seized the opportunity and are conducting speculative voice phishing (vishing) calls to get Wyomingites to reveal sensitive information such as insurance information, Medicare, Medicaid or other financial information. The calls appear to be random rather than being made using phone numbers obtained in the breach.
“No one representing the department will ask you for insurance, Medicare, Medicaid or personal financial information. No one representing the department will call you about the breach unless they are returning a call you made to us first,” said Wyoming Department of Health administrator Jeri Hendricks.