Fraud alert follows health department data leak

The health information of thousands of state residents was mistakenly exposed earlier this year, according to announcement from the Wyoming Department of Health (WDH). The department is now warning about fraudulent calls from people falsely claiming to represent the department.

“The callers falsely claim to represent us, say they are calling about the breach and then ask the individuals they’ve reached for insurance, Medicare, Medicaid or other financial information. In some instances, it seems they have been able to make it appear as if the calls are coming from state government phone numbers,” said Jeri Hendricks, Office of Privacy, Security and Contracts.

“No one representing the department will ask you for insurance, Medicare, Medicaid or personal financial information. No one representing the department will call you about the breach unless they are returning a call you made to us first.”

WDH says it became aware of a breach on March 10, when it was discovered that a member of the workforce “inappropriately handled” the health information of an estimated 164,021 residents as early as November 5, 2020.

According to the announcement, 53 files were unintentionally exposed, containing COVID-19 and influenza test result data, as well as one file containing breath alcohol test results. These were mistakenly uploaded to private and public online storage locations on servers belonging to GitHub.com.

GitHub is an internet-based software development platform used while writing code for data models. The incident was not caused by a compromise of the platform or its systems, says the WDH. However, “while GitHub.com has privacy and security policies and procedures in place regarding the use of data on their platform, the mistakes made by the WDH employee still allowed the information to be exposed.”

The information made available to individuals who were not authorized to receive it included names or patient IDs, address, date of birth, test results and dates of service; it did not include social security numbers or banking, financial or health insurance information. The affected tests could have been performed anywhere in the U.S. between January 2020 and March 2021.

A special WDH information line has been established at 1(833) 847-5916. The phone line will be available Monday through Friday, 9 a.m. to 7 p.m. through August 6.

Wyoming residents who received COVID-19 or influenza tests anywhere in the United States between January 2020 and March 9, 2021 but who do not receive a written notice within the next two weeks, should call the information line to learn if their information was involved. In addition, anyone who received a breath alcohol test performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021 who doesn’t receive a letter should also call.

“Because we want to be extra cautious about this situation, we are offering affected individuals one year of free identity theft protection through IdentityForce,” said Jeri Hendricks, Office of Privacy, Security and Contracts administrator with WDH.

To take advantage of the offer, affected individuals can call the WDH information line at 1(833) 847-5916 for an IdentityForce verification code to allow online enrollment for the service.

“Because we are committed to the privacy and security of individuals’ protected health information, we have taken steps to help prevent further harm from this situation or similar circumstances from happening again,” Hendricks said. “Files have been removed from the GitHub repositories and GitHub has destroyed any dangling data from their servers. Business practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained.”