FBI Investigates COVID-19 Patient Data Breach

The FBI is investigating a data breach that exposed the personal information of South Dakota residents who had contracted COVID-19. 

The data breach took place in June when a database shared between the Department of Health and law enforcement agencies was exposed by a third-party vendor.

Information stored in the database was used to establish an online portal designed to reduce the chances of law enforcement officers and medics' catching the novel coronavirus in the course of performing their duties. The portal allowed first responders to contact a dispatcher and find out if someone at an address to which they were being sent had tested positive for the virus.

Netsential.com, Inc., a web development company used by law enforcement agencies and fusion centers across the United States, hosted the database on its servers. The data breach happened on June 19 when Netsential added labels to a file that could allow a third party to identify a COVID-19 status if it were removed from the system.

Information exposed in the incident included names, addresses, dates of birth, and infection status. Department of Public Safety (DPS) officials said no Social Security numbers or financial data was compromised. 

The DPS informed COVID-19 patients in a letter dated August 17 that their data may have been exposed. The letter, signed by DPS director Paul Niedringhaus and seen by Rapid City Journal, warns patients that their information may now be accessible online.

“This information may continue to be available on various internet sites that link to files from the Netsential breach,” the letter states. “The list did not include any financial information, Social Security numbers, or internet passwords of any individuals.”

Recipients of the letter are advised to visit a webpage titled “South Dakota Consumer Protection” from the Office of the Attorney General. The page contains advice on preventing identity theft and securing information. 

“The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further,” said DPS public information officer Tony Mangan.

Netsential hit the headlines in June after thousands of US police records were exposed in a cyber-incident dubbed BlueLeaks.  

What’s Hot on Infosecurity Magazine?