The Wyoming Department of Health (WDH) said on Wednesday it accidentally posted COVID test results of state residents onto their public-facing storage buckets.
The WDH said in a public advisory that an employee fumbled the health information of about 164,021 Wyoming residents and of people from other states as early as Nov. 5. The department learned about the data exposure on March 10. The 2020 census showed that Wyoming has about 577,000 residents, meaning that this spill affected about 25% of its population.
The publicly accessible information involved 53 sets of files. Besides COVID-19 and and influenza test results, the cache also contained a file with breathalyzer test results; names or patient IDs; addresses; dates of birth; and the dates when patients were tested. The COVID-19 test results weren’t just from tests taken in Wyoming and electronically uploaded. Test results could have also been performed anywhere in the US between January 2020 and March 2021.
As far as the breath alcohol tests go, the employee accidentally posted the results of 18,312 people – mostly from Wyoming but also from other states – who breathed into a tube for law enforcement in Wyoming as far back as April 19, 2012 and on up until Jan. 27, 2021.
The employee mistakenly uploaded all that to private and public online storage repositories in the cloud, where prying eyes roam as free as mustangs.
Swallow This Bitter Pill Once Every Few Months Or So
It’s far from the first time that we’ve seen developers (or whichever type of WDH employee goofed) fat-finger public health records like this.
In December, 45 million medical images were exposed online, freely left up for grabs for blackmailers, fraudsters or other criminals, due to unsecured technology that’s typically used to store, send and receive medical data. And last August, Dutch researcher Jelle Ursem found what he called the “Typhoid Mary of data leaks”: nine separate files of highly sensitive personal health information (PHI) from apps such as Office 365 and Google G Suite, from nine separate health organizations, leaked to GitHub, thanks to developer errors.
That one was quite the eye-blinker for the developer involved. “It seemed that if there was any way this developer could do something wrong or mess something up, he would,” researchers wrote at the time. “And he seemed to be surprisingly unaware that everything he was doing was visible to others.”
It’s unclear what mistakes were involved in the Wyoming exposure. Developers often use GitHub as a place to tuck away their code while they’re doing version control and code management for data models, and that is, in fact, what the WDH employee was using it for. Absolutely not GitHb’s fault, the department said; this is all on us, it said in the advisory: “This incident did not result from a compromise of GitHub or its systems. While GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed.”
Department spokeswoman Kim Deti told the Associated Press that the state doesn’t know whether anybody’s abused the spilled records. Now is a good time to worry about that, given how easy it is to find public health records online: With the Typhoid Mary situation last year, it took Ursem less than 10 minutes to find the exposed data. He tried variations on simple search phrases such as “medicaid password FTP”, which led him to the jackpot of “potentially vulnerable hard-coded login usernames and passwords for systems.”
Hopefully the Wyoming spilling of sensitive data is less typhoid, more irritating rash. Michael Ceballos, WDH director, said in the advisory that nobody’s social security numbers, banking, financial or health insurance information was exposed.
“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” Ceballos said. “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”
Who’s Game for a Fictional Knee Replacement?
Exposed PHI is indeed a serious concern, given what hot commodities personally identifying information (PII) and PHI are on the dark web. Threat actors buy it to use for blackmail, or to scam the medical system to set up ghost patients using ghost clinics to get expensive ghost treatments. Case in point: Fraud analysts once came across an organized crime ring that was methodically buying up failed pizza place storefronts in Florida strip-malls. The crooks filed fraudulent Medicaid claims from the pizza joints for big-ticket procedures such as knee replacements. The fraud analyst who uncovered the plot affectionately dubbed it ‘The Florida Pizza Fraud Report’,
Experts say that with this much at stake, it only takes one misstep – or, in a case like this, a mis-keystroke or two – to fracture the system.
“Unfortunately, this is another example of human error resulting in unfortunate consequences,” noted Erich Kron, a Security Awareness Advocate at KnowBe4, in an email to Threatpost Thursday morning. “In our modern world, where working with personal data and protected health information is part of a daily norm, mistakes certainly happen. Sadly, even the simplest errors can expose private information of thousands or even millions of individuals in a matter of a few keystrokes.”
That’s why we need procedures that identify mistakes as soon as they happen, not months after sensitive personal data has been mistakenly blabbed, he said. That can include monitoring public repositories, for example. “Because it is easy for people to become comfortable when dealing with huge volumes of information that is private and personal in nature, procedures must be put in place to prevent or identify when these mistakes take place. Monitoring public repositories such as GitHub and cloud storage services, and employing Data Loss Prevention (DLP) controls can help reduce or eliminate the accidental disclosure of this type of data.”
Continuous training is also crucial, since it’s all too easy for employees to become complacent about their work, Kron said. “Whether the data is accidentally shared by uploading to an exposed cloud service, or lost through a scam or phishing attack, the end result is equally devastating to those who have been impacted.”
Bill Santos, president, of Cerberus Sentinel, agrees with that sentiment. “This incident highlights the importance of creating cybersecurity awareness at every level of an organization,” he told Threatpost in an email on Thursday morning. Regardless of the technology deployed, it only takes one person to expose confidential information on a significant scale. Changing the culture of an organization, emphasizing the importance that every employee plays in protecting the assets of the company and its customers and consumers, is the critical first step to addressing the data exposure crisis we are seeing today.”
Turn Your Head and Cough Up the Data
Jeri Hendricks, Office of Privacy, Security and Contracts administrator with WDH, said that the department has wiped the files from the GitHub repositories and that GitHub has snipped any dangling data bits from its servers. To boot, employees have been retrained, and from here on out, GitHub or other public repositories are verboten in the department’s business practices, he said.
“Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again,” Hendricks said.
WDH started sending notices to potentially affected people on Monday but noted that it doesn’t have full contact information for everyone. The department said that Wyoming residents who got COVID-19 tests anywhere in the U.S. before March 10 should call (833) 847-5916 to find out if their information was involved. Anyone who took a breath alcohol test given by Wyoming law enforcement between April 19, 2012, and Jan. 27, 2021 should also call, the WDH said.
How to Protect Your Vitals
The WDH is also providing a year of identity theft protection through the IdentityForce credit and dark web monitoring service for those affected. To take advantage of the protection, call (833) 847-5916 to enroll.
The WDH also passed on these health tips for health data:
- Carefully read medical providers’ notices of privacy practices
- Regularly request and maintain copies of health information
- Monitor health information for accuracy, and request an amendment if incorrect
- Request an accounting of disclosures from medical providers, especially if information is potentially being used or disclosed inappropriately
- If necessary, request restrictions of health information uses and disclosures
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.