The Lake County Health Department announced two data breaches, one of which occurred in 2019, that compromised the data of almost 25,000 people.
Jefferson McMillan-Wilhoit, the Chief Health Informatics and Technology Officer for the Lake County Health Department, said the first breach was discovered on July 22, 2019.
McMillan-Wilhoit told the Chicago Tribune that the first breach, which was disclosed earlier this month, occurred after an unencrypted email was sent to an internal employee’s personal email address.
The spreadsheet consisted of medical records requests from December 2016 to June 2019 made through a third-party vendor who provides release of information services.
The information in the spreadsheet consisted of numbers and dates relevant only to the vendor along with a name.
24,241 people were impacted and the health department mailed them a letter on July 2 notifying them of the breach. It is unclear why it took so long for the health department to notify the people impacted by the breach.
The second breach involved an unencrypted Google spreadsheet used by volunteers and staff, according to Emily Young, a spokesperson for the Lake County Health Department. It was discovered on May 14.
The spreadsheet contained names, dates of birth, phone numbers, email addresses and vaccination status of seniors seeking information on the COVID-19 vaccine, Young said.
705 people were impacted in the second breach and the health department has since notified them via mail about what happened.
“We have no indication that the information has been inappropriately used by anyone. We took prompt action to ensure the spreadsheet was moved to a secure data storage location,” Young said.
An internal risk assessment was completed immediately following the first and second breaches, McMillan-Wilhoit said.
The health department determined no one’s personal health information was compromised in the first breach but federal authorities disagreed and said the information could have been compromised, the Tribune reported.
McMillan-Wilhoit said the health department now has a fully encrypted system in place for its employees and volunteers.
In November, the Lake County Health Department mistakenly released the personal health information of 3,815 long-term care facility residents and staff.
Between June 4, 2020, and August 18, 2020, the Lake County Health Department sent weekly reports of COVID-19 testing results to select contacts at long-term care facilities in Lake County, according to Hannah Goering, a now-former spokesperson for the health department.
The facilities were part of a COVID-19 testing project designed to slow the spread of the coronavirus.
The weekly reports included names, dates of birth, addresses and COVID-19 testing status.
The information was sent via encrypted email in filtered spreadsheets and the filter hid data from other facilities.
However, users could view the hidden information by changing the filter selection, Goering said. As a result, users could access the results from all facilities in the project.
The health department discovered the breach on September 10 and alerted the recipients and instructed them to delete the reports.
Anyone who would like to confirm if their name was included in the breaches can call the department’s privacy officer at 855-856-1262.