Data Breach Leads to Resignations of Wyoming Officials

May 25, 2021

State health director, CIO resign after data leak exposes COVID-19 laboratory test result data involving the health information of thousands of Wyoming residents

David Raths

Bigstock Wyoming Map Flag Map Of Wy U 415203658 60ad2fcdd1b93

The State of Wyoming’s health director and chief information officer resigned after a data leak exposed COVID-19 laboratory test result data involving the health information of thousands of Wyoming residents. The leak affected over one-quarter of Wyoming’s population of 579,000.

Health Director Mike Ceballos will be replaced with Deputy Director Stefan Johansson, while Chief Information Officer Gordon Knopp will be replaced with state Information Services Administrator Timothy Sheehan, both in interim roles, Gov. Mark Gordon announced recently.

The Wyoming Department of Health (WDH) issued a notice saying it became aware of a breach involving protected health information on March 10, 2021. It was discovered that a workforce member inappropriately handled the health information of approximately 164,021 Wyoming residents and others as early as Nov. 5, 2020.

The incident involves an unintentional exposure of 53 files containing COVID-19 and influenza test result data and one file containing breath alcohol test results. These files were mistakenly uploaded by a WDH Public Health Division workforce member to private and public online storage locations, known as repositories, on servers belonging to GitHub.com.

GitHub is an internet-based software development platform typically used for version control and code management while writing code for data models. This incident did not result from a compromise of GitHub or its systems. While GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed.

The information was also unintentionally disclosed, meaning it was made available to individuals who were not authorized to receive it, on GitHub’s public site as early as Jan. 8, 2021.

The exposed health information included COVID-19 tests that were electronically reported to the WDH for Wyoming residents, including name or patient ID, address, date of birth, test results and dates of service. The affected files did not contain Social Security numbers or banking, financial or health insurance information.

“We recognize maintaining personal information privacy is important. Because we want to be extra cautious about this situation, we are offering affected individuals one year of free identity theft protection through IdentityForce,” said Jeri Hendricks, Office of Privacy, Security and Contracts administrator with WDH, in a statement. “Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again,” Hendricks said. “Files have been removed from the GitHub repositories and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained.”