The Wyoming Department of Health (WDH) has found out that the protected health information (PHI) of 164,021 persons was accidentally compromised on the web as a result of a blunder made by a member of its labor force.
On March 10, 2021, WDH learned that a staff member had published documents with medical test information to public and private databases on the software development platform GitHub. Although security controls are set up to take care of users’ privacy, a mistake by the staff meant the information could likely have been viewed by people unauthorized to see the data since January 8, 2021.
There were a total of 53 files uploaded to GitHub that contained COVID-19 and flu test result information, as well as one file that comprised breath alcohol test results information. The exposed details involved patient IDs, addresses, dates of birth, dates of service, and test results data. The COVID-19 test result records had been submitted to WDH for Wyoming locals, even though the tests themselves could have been conducted any place in America from January 2020 to March 2021. The alcohol test data linked to tests done by authorities in Wyoming from April 19, 2012 until January 27, 2021.
WDH Director Michael Ceballos explained that though WDH workers supposed to employ this software service merely for code storage and maintenance and not to maintain files that contain health data, a considerable and very unfortunate blunder was made when the test result data was at the same time loaded to GitHub.com. WDH truly apologizes to everyone affected and will provide assistance.
The files were taken off from GitHub and GitHub has affirmed that the files were taken out from its servers. WDH has taken action to avoid identical breaches of PHI sometime soon, which include forbidding the usage of GitHub and other public repositories and re-teaching its staff.
Though no Social Security numbers, financial data, or medical insurance details were exposed, as a safety measure, WDH has given impacted persons free identity theft protection services with IdentityForce, which consists of advanced credit and dark web tracking and an identity theft insurance plan.
This is the second breach associated with GitHub to be reported in the last few weeks. At the beginning of this April, Med-Data affirmed that the PHI of patients of a number of its clients were unintentionally uploaded to GitHub databases. Researcher Jelle Ursem and databreaches.net found many occasions where medical information was compromised on the site.