peshkov - stock.adobe.com

Healthcare Data Breach in IL Exposes COVID-19 Vaccination Status 

A data breach exposed PHI in Illinois, including COVID-19 vaccination status.

The Lake County Health Department and Community Health Center (LCHD) in Illinois is currently notifying over 700 individuals impacted by a recent healthcare data breach exposing protected health information (PHI), including COVID-19 vaccination status. 

On July 9th, LCHD started notifying the 705 individuals about the data breach, according to a statement

“On May 14, 2021 it was discovered that information was shared between LCHD/CHC staff and volunteers in our COVID-19 Contact Center using a shared Google sheet saved on the volunteer’s private Google drive,” the LCHD statement notes. “The shared information included name, date of birth, phone number, email address, and COVID-19 vaccination status gathered in telephone calls generally occurring in April 2021.” 

“We have no indication that the information has been inappropriately used by anyone,” the health department’s notice states. “We took prompt action to ensure the spreadsheet was moved to a secure data storage location.”  

The Google spreadsheet “did not contain Social Security number(s), financial information, treatment dates, test results, or any other medical history details,” LCHD states.  

The health department took “immediate action to investigate the nature of the information included in the spreadsheet and mitigate any potential for improper use. LCHD elected to inform the Department of Health and Human Services (HHS) as required. This decision was due to the number of records associated with the unencrypted file,” the notice states.  

The agency reported the data beach to the US Department of Health and Human Services 
Office for Civil Rights on July 8th, according to the agency.  

“The Lake County Health Department is committed to providing quality care, including protecting personal information, and we want to assure those affected that we have policies and procedures to protect your privacy,” LCHD’s statement reads. “We have taken action to assure that additional safeguards are in place to prevent similar occurrences in the future such as auto encryption of emails sent outside the lakecountyil.gov domain.”  

Back in July of 2019, the LCHD notified over 24,000 patients that their names were included in “an attached spreadsheet in an unencrypted email sent to an internal employee’s personal email address in July 2019,” according to its statement from 2019.  

Only the patients’ names were breached during that 2019 incident.  

“Since only names were shared via this file and the remaining information does not contain public health information or personally identifiable information, we have no indication that the information was inappropriately used.”    

Individuals can check to see if their information was included in this latest data breach by calling 855-856-1262.

Next Steps

Dig Deeper on Cybersecurity strategies