The Wyoming Department of Health knows it accidentally published the personal information of 164,000 residents on a public website earlier this year. But it remains a mystery as to whether any bad …
The Wyoming Department of Health knows it accidentally published the personal information of 164,000 residents on a public website earlier this year. But it remains a mystery as to whether any bad actors accessed the data before the department discovered the mistake and took the files offline.
The roughly 54 files that were uploaded to GitHub.com contained names, dates of birth, addresses, some driver’s license numbers and results for COVID-19 and alcohol breath tests.
Between the data’s upload in January and deletion in March, roughly 13 IP addresses appear to have accessed the data in some form or fashion, Department of Health Interim Director Stefan Johansson said Thursday.
“We cannot determine who that was or if these were web crawlers that comb all websites basically all the time,” Johansson told the Legislature’s Joint Labor, Health and Social Services Committee. “That’s something that we don’t know.”
It’s possible that no one obtained a copy of the data before it was scrubbed from the internet. However, under federal regulations and the department’s policies, “we assume the worst and we act as if the worst had happened,” Johansson said.
If a malicious actor did obtain the data files, they could potentially use the information for “online targeting,” Johansson said, such as by trying to gain access to a person’s social media accounts or deploying some kind of phishing scam to obtain more sensitive and potentially lucrative information. The interim director noted that “the highly sensitive data” — such as Social Security numbers, insurance and financial information — “was not involved in this.”
For the roughly 164,000 people whose personal information was publicly exposed, the department is offering identity theft protection services and operating a phone line to field questions.
After the department publicly announced the breach, a scammer or group of scammers tried to capitalize, posing as the department in phone calls and trying to convince residents to give up their personal information. The department quickly issued a warning to the public.
“We tried to do our best to put out information … to make sure that hopefully they knew that we would never call and ask for that type of information, even after an event like this,” Johansson said.
As for how the data breach occurred, Johansson said the department had been using the website GitHub to manage and update computer code related to various public health data reporting requirements. However, when posting a long string of code, one analyst failed to include a certain “NOR function” that would have told the program to skip over the sensitive files, Johansson said. Without that function, the sensitive files were instead called and uploaded to GitHub’s public repository, he said.
The error “was absolutely inadvertent and accidental,” the interim director added. Amid the COVID-19 pandemic, he said the department threw a lot of work and a lot of employees at public health efforts — and in that environment, “you run the risk of making mistakes.”
“We’ve all equated it somewhat to wartime,” Johansson said, “and I think that’s part of the reason that you risk some quality measures slipping. And that’s certainly what happened here.”
Two employees were involved with the breach: One no longer works for the Department of Health, while the other “has received sanctions, additional training, and progessive disciplinary actions have been taken,” Johansson said.
Department of Health Director Mike Ceballos and state Chief Information Officer Gordon Knopp both resigned in the wake of the breach, though they did not announce whether their departures were directly related to the incident.
Although the breach was “certainly not the fault of the platform” — Johansson in fact made a point of praising the site for its help — he said the department is no longer using GitHub for any purposes. The department also reviewed and updated all of its privacy and security policies, including how often they train employees on best practices.
“Certainly the department regrets this happened, especially after what we’ve all been through the last 15 months,” Johansson said. “But I believe we’ve taken the appropriate actions.”
Committee members had no questions.