Pitkin County website compromised personal info from residents, visitors about contact tracing | AspenTimes.com

Pitkin County website compromised personal info from residents, visitors about contact tracing

Data breach for more than 2 months allowed some information given for tracing, disease investigation to be available

Personal information about hundreds of Pitkin County residents and visitors was downloaded late last year after it was inadvertently left out in public on the internet, an official said Thursday.

The information was related to the county’s COVID-19 contact tracing and disease investigation efforts and did not include social security numbers, addresses or financial information, said Jon Peacock, Pitkin County manager.

It did, however, include dates of birth; employer information; COVID symptoms experienced and date of onset; the date, type and results of COVID-19 tests taken; underlying health conditions; whether the person had gotten a flu shot; and any school or child care used by the contact, he said. The information was accessible and able to be downloaded between Oct. 1 and Dec. 14.

“There’s no evidence of any misuse of the information,” Peacock said. “It was a functionality within the (software) program to put the data on (the county’s) website and allowed users to access the information. It had fields people should not have had access to.”

The breach was not a hack. It came to the attention of county officials Dec. 14 from a person who was able to download the restricted information, and was immediately stopped, Peacock said. The county is unable to track exactly who downloaded the information during the two-and-a-half months it was publicly available so it was not clear Thursday how many times such an action occurred.

“Frankly, we think the data was inadvertently downloaded by people,” he said.

The exact number of people affected was not available Thursday, he said, though it will top out “in the hundreds.” The county already has sent out 25 letters to those who’ve been identified as having compromised personal information, which includes both residents and visitors because both were involved in contact tracing efforts, he said.

“We’re notifying people when we have the information,” Peacock said. “I think there’s a lot of concern out there about the information. But I want to note that the same day we were made aware (of the breach), we shut down access to the data.”

The county took a month to notify the first round of people because officials had to work with the internet services vendor to identify who was affected, he said.

Anyone whose information was tracked will receive 12 free months of credit monitoring and identification restoration services through a company called ID Experts.

Those who think they’re information might have been compromised can call 1-833-226-4422, or email dataconcerns@pitkincounty.com, with questions.


More Like This, Tap A Topic

See more