Health department breaches expose troves of personal info in Pennsylvania, Wyoming

In Wyoming, an employee accidentally uploaded COVID-19 test results to a public-facing website, while Pennsylvania faced trouble with a third-party contact-tracing vendor.
By Kat Jercich
03:35 PM

Photo by cottonbro via Pexels

A one-two punch of health department-related data breaches over the past month have exposed hundreds of thousands of patient records in Pennsylvania and Wyoming.

In Wyoming, COVID-19, influenza and blood alcohol test results for more than 164,000 people – more than a quarter of the state's population – were accidentally uploaded to a public-facing website this past week.

And in Pennsylvania, a data breach potentially compromised the information of about 72,000 residents involved in the state's COVID-19 contact-tracing program. As of Monday, the state had not yet notified the impacted individuals.


The exposures were related to employee behavior in both cases. 

In Wyoming, according to the health department, an employee accidentally uploaded files containing the personal information to the GitHub platform.  

As reported by the Powell Tribune, the breach exposed the name or patient ID, address, date of birth, test result and date of service for more than 164,000 people.   

More than 145,000 of those individuals are likely Wyoming residents who obtained a COVID-19 or flu test between January 2020 and March 2021.  

Meanwhile, the blood alcohol test data of about 18,000 people was also included. Most of those individuals were also Wyomingites, although some were from out of state.  

Anyone who received a COVID-19 or flu test between last January and this March may be affected, as could anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and Jan. 27, 2021.  

The department has begun to send notices to residents, but doesn't have contact information for every person.   

"Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again," said Jeri Hendricks, Wyoming Office of Privacy, Security and Contracts Administrator, to the Tribune

"Files have been removed from the GitHub repositories, and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained," said Hendricks. In Pennsylvania, the situation is murkier.

The leak, according to local reports, appears to have sprung through a third-party vendor, Insight Global, that the department had contracted to provide contact tracing and similar services.

The health department said that it had become aware of employees disregarding security protocols – namely, allegedly creating copies of residents' personal information and sending it to sources outside the contact-tracing system.  

Some former employees told WXPI that the company had failed to secure information they'd collected from contacts.

Personal information from more than 72,000 people – including age, gender, sexual orientation, phone number, email address and COVID diagnosis – may have been involved in the breach.  

Several investigations are ongoing, and state Republicans have called the incident an example of "extreme mismanagement" from the governor's administration.  

The health department said that it would not renew its contract with Insight and that notifications will be mailed to affected individuals this week.  


Although high-profile healthcare breaches often involve targeted ransomware or phishing, sometimes the culprit is plain old human error.  

In 2018, a Blue Cross employee uploaded a file containing member information to a public-facing website, where it remained visible for three months.  

Two years prior, Oregon Health and Science University was hit with a hefty compliance fine after a laptop containing unencrypted patient information was stolen during a burglary.  


"The Department of Health takes the safety and security of individuals’ personal information extremely seriously," said Pennsylvania health department spokesperson Barry Ciccocioppo to the Erie Times-News

"We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals," he added.


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.