Wyoming’s Department of Health (WDH) has announced the accidental exposure of personal health information belonging to more than a quarter of the state’s population on GitHub.com.
The data breach occurred when fifty-three files containing laboratory test results were “inappropriately handled” by an employee.
News of the security incident was published on the department’s website yesterday along with a response plan.
WDH detected the breach on March 10. An investigation into the incident revealed that the health information of approximately 164,021 Wyoming residents and others could have been exposed as early as November 5, 2020.
Data in the leaked files included the results of tests for influenza and COVID-19 performed across the United States between January 2020 and March 2021. One file containing breath alcohol test results was also exposed.
Along with the test results were patients’ names, ID numbers, addresses, dates of birth, and dates of when tests had been carried out.
“These files were mistakenly uploaded by a WDH Public Health Division workforce member to private and public online storage locations, known as repositories, on servers belonging to GitHub.com,” said WDH.
The department added that the information “was also unintentionally disclosed, meaning it was made available to individuals who were not authorized to receive it, on GitHub’s public site as early as January 8, 2021.”
WDH has begun the process of notifying impacted individuals but said that it did not have contact details for some of the victims of the breach. Those whom it does manage to reach will be offered a year of free identity theft protection.
“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said WDH director Michael Ceballos.
He added: “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”
Jeri Hendricks, Office of Privacy, Security, and Contracts administrator with WDH, said that the files have been removed from GitHub and GitHub has destroyed any “dangling data” from its servers.