COVID-19 Patient Data Breach
DPS Fusion Center, the database used to store and share COVID-19 patients’ names and addresses with local law enforcement, was subject to a data breach. DPS sent out breach notification letters to affected patients stating that their names, addresses, dates of birth, and COVID-19 statuses may have been affected by the patient data breach.
The purpose of the database was to create an online portal to increase the safety of first responders. To access the data, first responders would call a dispatcher before responding to a house call to determine whether or not someone in the house had tested positive for COVID-19.
DPS claims that the data was only available to “a select number of South Dakota officials who received both training in handling the data and an individual password for accessing it,” and that protected health information (PHI) could not be accessed outside of the portal. However, the third-party software developer added labels to patient files that could easily identify a patient’s COVID-19 status outside the system.
One woman affected by the patient data breach shared her letter with a local news organization, which can be viewed below.
The news organization also interviewed the patient, during the interview she stated, “They didn’t tell us that they were using our information, that the Department of Public Safety was using our information in the first place. And now they’re telling us that the whole system they were using was breached and my information has been compromised. I just feel like it’s added stress to an already delicate situation.”