Wyoming’s Department of Health Accidentally Leaks 25% of the Population’s PII

Info Security Group online magazine reported that Wyoming’s Department of Health (WDH) accidentally exposed 25% of the state population’s personally identifiable medical information through GitHub.com.

What Happened?

The incident occurred when an employee of the WDH mishandled 53 laboratory test result files. The agency posted a notice about the data breach on their website along with a plan of resolution. 

The organization discovered the data breach on March 10. However, the resulting investigation revealed that it could have begun as early as November 5, 2020. Roughly 164,021 Wyoming residents are affected by the data breach and their personal information was inadvertently revealed online.

Some of the information exposed in the breach includes COVID-19 test results, influenza, and even blood alcohol test results from January 2020 to March 2021. More alarmingly, along with the test results, the data exposed patients’ names, ID numbers, home addresses, birthdates, and the date of the tests. 

How Has the WDH Responded?

When asked for a comment, a spokesperson for the WDH said:

“These files were mistakenly uploaded by a WDH Public Health Division workforce member to private and public online storage locations, known as repositories, on servers belonging to GitHub.com.”

Additionally, they noted that the information “was also unintentionally disclosed, meaning it was made available to individuals who were not authorized to receive it, on GitHub’s public site as early as January 8, 2021.”

The Wyoming Department of Health is notifying all individuals now. There are, however, some individuals that they do not have complete contact information for and may not be able to reach all affected patients. The state agency is offering one free year of identity theft protection for all affected persons.

WDH director Michael Ceballos said:

“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com.” 

He also offered up an apology “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”

The agency reassures the public that the files in question have been removed and all traces of the exposed data.

What is PII?

Personally identifiable information is data linked to a specific person like a social security number, driver’s license ID, or medical ID. These are unique identifiers that bad actors could potentially use for identity theft or fraud. 

How Can Identity Theft Occur from a Data Breach Like This?

As evidenced by this attack, data breaches don’t just occur through hacking. Often employees make mistakes, and information is exposed online. With so many companies using online cloud storage, it is not that big of a surprise.

However, each one of those 164,000 people whose information was exposed online is now at risk of identity theft. Cybercriminals collect as much data as possible about someone, usually by combining information stolen in multiple data breaches. They put together profiles with enough details to gain access to the person’s accounts or trick government agencies so they can obtain passports, social security numbers, or other IDs to use with banking, property rental, or opening new credit accounts in the victim’s name.

Another way identity theft occurs is through phishing emails. Hackers may send very convincing emails to victims of a data breach using some of their own personal information. The recipient trusts the email because they see their own personal information that only the sender must know. They don’t, however, realize it’s a spoofed email address and a trick to steal more information or commit fraud. 

You can never be too careful when protecting your PII from identity thieves.