For more than 70 days, a file containing information related to Pitkin County COVID-19 case investigations and contact tracing was “inadvertently” accessible on the internet.
The file was accessible through the county’s COVID-19 webpage between Oct. 1 and Dec. 14 of last year and did not contain social security numbers or financial information.
“Specific information varies by individual, but the investigation determined that the affected file contained ... some or all of the following information: date of birth, employer, name of school/child care facility, underlying conditions, test type, unique ID, symptoms, onset data, if flu vaccination was received and type of flu vaccination,” a county news release issued Thursday morning states.
Pitkin County was made aware of the data privacy incident on Dec. 14 and “immediately” took steps to prevent the file from being accessed, the news release says.
Pitkin County Manager Jon Peacock said the information was accessible in the dashboard section of the county’s COVID-19 webpage.
“It was determined that it was not a security breach but more of a functionality within the software,” Peacock said. “We got that corrected. It was functionality within the software that we were not made aware existed.”
He said an individual who accidentally accessed the information while on the county’s COVID-19 response webpage notified officials. While the county addressed the access issue immediately, it did not release information publicly concerning the incident until one month later.
Peacock said it took time to analyze what data was inadvertently released and to contact individuals whose information may have been accessed.
“We sent out 25 letters to folks indicating that their data may have been accessed,” he said. “We’re still analyzing to see if there’s more that may have been impacted.”
The individuals included Pitkin County residents as well as visitors who may have been involved in a COVID-19 case investigation or contact tracing. According to the news release, the incident was “unrelated to Pitkin County’s contact tracers or their procedures to support an effective disease control strategy.”
To date, Pitkin County has no evidence that any information available online related to local COVID-19 case investigations and contact tracing was misused. Pitkin County will offer affected individuals 12 months of credit monitoring and identity restoration services at no cost to them.
Pitkin County has established a toll-free hotline at 1-833-226-4422 to assist individuals who may have further questions about the incident.
“At this point it’s like, what next?” Pitkin County Commissioner Patti Clapper said Thursday. “I’m not a technology person so I don’t know what all of that means. I’m just so sorry that we had one more incident that is a negative impact to the community. But, I think we will rise from this one too and move forward.”