California breach highlights contact tracing data vulnerabilities
A California-based hospital reported Thursday that a state employee had improperly accessed more than 2,000 employee and patient records over the course of about 10 months.
According to the Department of State Hospitals, the breach included names, COVID-19 test results and health information necessary for tracking COVID-19 for about 1,415 patients and former patients, as well as 617 employees at Atascadero State Hospital.
Although the number of exposed records was relatively small compared to some of the highly publicized breaches as of late, experts said the incident highlighted the importance of securing contact tracing data.
"This is a whole other dimension of data which we haven’t figured out what to do with. What happens when the pandemic is over? Will this information be neglected?" said Caleb Barlow, CEO of the cybersecurity firm CynergisTek.
WHY IT MATTERS
DSH reported that the breach had been identified on February 25 as part of a standard review.
"It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access," it said in an FAQ released about the incident.
The safeguards in place had not caught the unauthorized actions earlier, said the department, because of their similarity to the employee's job duties.
"It is common practice for system administrators to copy files on behalf of DSH business units, which makes it challenging to automatically detect any files they might be copying or accessing inappropriately," said the FAQ.
Currently, DSH said it had no evidence that the information was improperly used – nor did it know why the employee had performed these actions.
This isn't the first time contact tracing data has been targeted recently. In January, Pitkin County, Colorado, announced that a file containing information related to COVID-19 case investigations and/or contact tracing had been left "inadvertently accessible" via the internet for more than two months.
"Specific information varies by individual, but the investigation determined that the affected file contained the some or all of the following information: Name, Address, Date of Birth, Employer, Name of School/Childcare Facility, Underlying Conditions, Test Type, Unique ID, Symptoms, Onset Date, If a flu vaccination was received and type of flu vaccination," said a press release. "The affected file did not contain Social Security numbers or financial information."
"This is not normal personal-identifying information," said Barlow.
THE LARGER TREND
Concerns around cybersecurity and COVID-19 have loomed large since the start of the pandemic, with the thirst for accurate information making people (including health system employees) more vulnerable to bad actors.
The vaccine distribution pipeline presents its own risks, with potential targets at multiple steps of the process.
And security has been found lacking in apps aimed at addressing the pandemic, raising concerns about the intersections between privacy and mass surveillance.
ON THE RECORD
The California Department of State Hospitals said that it had tightened security protocols to ensure this doesn't happen again, noting that "all admin activities will be logged and monitored on a more detailed basis."
"Automated detection mechanisms will be tightened to detect transfer of PHI to locations which do not typically store PHI," explained the DSH's FAQ. "Senior management approval has been added to any administrator access, and the review of access will be conducted more frequently."