The Wyoming Department of Health (WDH) has found out that the protected health information (PHI) of 164,021 people were accidentally exposed on the internet because of a mistake made by a member of its employees.
On March 10, 2021, WDH learned that a worker had uploaded data files that contain medical test information to private and public repositories on the software development platform GitHub. Although security controls are in place to safeguard users’ privacy, a blunder by the worker meant the data could possibly have been seen by persons unauthorized to view the data beginning January 8, 2021.
There were a total of 53 files uploaded to the platform that had COVID-19 and influenza test result information, together with one file that included breath alcohol test results information. The compromised data contained patient IDs, addresses, birth dates, dates of service, and test results data. The COVID-19 test result records had been filed to WDH for Wyoming citizens, though the tests themselves might have been done at any place in the U.S. between January 2020 and March 2021. The alcohol test data pertained to tests conducted by law enforcement in Wyoming from April 19, 2012 to January 27, 2021.
WDH Director Michael Ceballos stated that although WDH employees meant to utilize this software service just for code storage and maintenance instead of to maintain files containing health data, a substantial and very unfortunate mistake was made when the test result information was also published to GitHub.com. WDH sincerely apologizes to all the affected and will offer help.
The files were deleted from GitHub and GitHub has stated that the files were deleted from its servers. WDH has done something to prevent the same breaches of PHI later on, such as barring using GitHub and other public databases and retraining its employees.
Though no Social Security numbers, financial details, or medical insurance data was breached, as a safety precaution, WDH has provided impacted people complimentary identity theft protection services via IdentityForce, which comes with advanced credit and dark web monitoring and identity theft insurance coverage.
This is the second breach related to GitHub to be announced in the past few weeks. Earlier this month, Med-Data confirmed that the PHI of patients of a few of its clients were inadvertently uploaded to GitHub repositories. Researcher Jelle Ursem and databreaches.net identified many incidents where healthcare data were exposed on the site.