In June 2020, the Houston, TX-based web developer Netsential had its web servers hacked and almost 270 gigabytes of data were stolen and was published online on June 19, 2020 by the hacking group Distributed Denial of Secrets (DDoSecrets). The hack and data leak incident was termed “BlueLeaks” and included 10 years of law enforcement data from around 200 police departments and fusion centers. Fusion centers gather and analyze threat information and share the data with states, government organizations, and private sector firms. The leaked data contained more than 1 million lines and included scanned documents, video and audio files, and emails.
The South Dakota Department of Public Safety’s State Fusion Center has recently announced that it has also been impacted by the data breach. The South Dakota Fusion Center developed a secure online portal in the spring of 2020 using Netsential’s services. The portal was developed to allow first responders to identify COVID-19 positive individuals so they would be able to take extra precautions to avoid being infected when responding to incidents. Data about infected individuals were not provided directly to first responders, instead they could call a dispatcher who would verify whether a particular individual was COVID-19 positive through the secure online portal.
The portal had appropriate security controls in place and only a limited number of trained South Dakota officials were granted access to the portal, which was housed on Netsential’s secure web servers. Security measures had also been implemented to ensure that in the event of an unauthorized individual gaining access to the data file separately from the online portal, it would not be possible to access individual health information.
However, Netsential added labels to the file which inadvertently allowed the information of individuals to be accessed in the event of the file being removed from Netsential’s systems. That file was stolen in the BlueLeaks attack and, as a result of Netsential’s security failure, the names, addresses, dates of birth, and COVID-19 statuses of an undisclosed number of individuals was accessible to the hackers. Affected individuals are now being notified.
The post Personal and COVID-19 Status Data Stolen from South Dakota Fusion Center in “BlueLeaks” Hacking Incident appeared first on HIPAA Journal.