Health Department data breach exposed info of 164K Wyomingites

CASPER – A data breach at the Wyoming Department of Health publicly exposed COVID-19, influenza and blood alcohol test data from more than a quarter of Wyomingites and some out of state residents, the department announced Tuesday. 

The breach occurred when an employee erroneously uploaded files containing that data to the public code-hosting platform GitHub. 

Data for more than 164,000 individuals was uploaded to the site, according to the health department. 

More than 145,000 people affected are believed to be Wyoming residents who received a COVID-19 or influenza test between January 2020 and March 2021. Blood alcohol test data involved just over 18,000 people, most of whom are Wyoming residents, according to the health department. 

The state has about 577,000 residents, according to census data released Monday. 

The health department had used GitHub to store and maintain computer code, but “a significant and very unfortunate error was made when the test result data was also uploaded to,” department director Michael Ceballos said in a statement. 

The breach exposed the name or patient ID, address, date of birth, test result and date of service of certain residents who had received a COVID-19, influenza or blood alcohol test. It did not expose social security, banking or health insurance information, according to the health department. 

The range of people who might be affected is broad. 

Anyone who received a COVID-19 or influenza test between January 2020 and March 9, 2021 may have had their information included in the breach. Anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021 may also be affected. 

The health department began sending notices to residents Monday but explained contact information is incomplete for every affected resident. 

The department has opened a hotline for residents to confirm whether their data may have been involved. 

The department is asking residents who fall into one of the above categories but who do not receive a notice within the next two weeks to call 1-833-847- 5916 Monday through Friday, 9 a.m. to 7 p.m. through Aug. 6 to determine if their information was affected.

Anyone who has been affected will receive a free year of identity theft protection, said Wyoming Office of Privacy, Security and Contracts Administrator Jeri Hendricks. 

“Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again,” Hendricks said. “Files have been removed from the GitHub repositories and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained.” 

Hendricks added her office had completed an investigation into the incident.