Pitkin County website compromised personal info from residents, visitors about contact tracing
Data breach for more than 2 months allowed some information given for tracing, disease investigation to be available
Personal information about hundreds of Pitkin County residents and visitors was downloaded late last year after it was inadvertently left out in public on the internet, an official said Thursday.
The information was related to the county’s COVID-19 contact tracing and disease investigation efforts and did not include social security numbers, addresses or financial information, said Jon Peacock, Pitkin County manager.
It did, however, include dates of birth; employer information; COVID symptoms experienced and date of onset; the date, type and results of COVID-19 tests taken; underlying health conditions; whether the person had gotten a flu shot; and any school or child care used by the contact, he said. The information was accessible and able to be downloaded between Oct. 1 and Dec. 14.
“There’s no evidence of any misuse of the information,” Peacock said. “It was a functionality within the (software) program to put the data on (the county’s) website and allowed users to access the information. It had fields people should not have had access to.”
The breach was not a hack. It came to the attention of county officials Dec. 14 from a person who was able to download the restricted information, and was immediately stopped, Peacock said. The county is unable to track exactly who downloaded the information during the two-and-a-half months it was publicly available so it was not clear Thursday how many times such an action occurred.
“Frankly, we think the data was inadvertently downloaded by people,” he said.
The exact number of people affected was not available Thursday, he said, though it will top out “in the hundreds.” The county already has sent out 25 letters to those who’ve been identified as having compromised personal information, which includes both residents and visitors because both were involved in contact tracing efforts, he said.
“We’re notifying people when we have the information,” Peacock said. “I think there’s a lot of concern out there about the information. But I want to note that the same day we were made aware (of the breach), we shut down access to the data.”
The county took a month to notify the first round of people because officials had to work with the internet services vendor to identify who was affected, he said.
Anyone whose information was tracked will receive 12 free months of credit monitoring and identification restoration services through a company called ID Experts.
Those who think they’re information might have been compromised can call 1-833-226-4422, or email firstname.lastname@example.org, with questions.
Support Local Journalism
Support Local Journalism
Readers around Aspen and Snowmass Village make the Aspen Times’ work possible. Your financial contribution supports our efforts to deliver quality, locally relevant journalism.
Now more than ever, your support is critical to help us keep our community informed about the evolving coronavirus pandemic and the impact it is having locally. Every contribution, however large or small, will make a difference.
Each donation will be used exclusively for the development and creation of increased news coverage.
Start a dialogue, stay on topic and be civil.
If you don't follow the rules, your comment may be deleted.
User Legend: Moderator Trusted User
Data — even for those who love to crunch the numbers — is only one part of the teacher retention story at Aspen School District.