COVID-19 Data Breach in South Dakota Under FBI Investigation

Data breaches are nothing new, with companies large and small under attack across the U.S., and the world.  According to Norton, 2019 saw an estimated 3,800 data breaches disclosed, leaving over 4.1 billion records exposed.  Some of the largest breaches impacted financial institutions, entertainment outlets, government entities, and healthcare agencies, among other industries.

In 2020, we’ve already seen a number of significant breaches, as well, with certain entities being targeted specifically because of the coronavirus pandemic.  Zoom, which became hugely popular as workers went remote, suffered an April data breach in which 500,000 user accounts (login credentials, as well as meeting URLs and HostKeys) were stolen and leaked or put up for sale.

The South Dakota Department of Public Safety (DPS) was also the target of a cyber attack affecting patients who were tested for COVID-19, an incident that the FBI is currently investigating.  How did the attack happen and what is the impact to affected individuals?

DPS Attack

The story starts with Netsential.com, Inc., a Texas-based, third-party web development service that offers web hosting.  This service is used nationwide by law enforcement and fusion centers across the nation, and South Dakota is no exception.

The DPS Fusion Center database, hosted by Netsential, was used to house COVID-19 patient information (names, addresses, and COVID test status) received from the Department of Health.  Netsential also helped DPS to develop an online portal that first responders could use to find out if someone in a house they were responding to had tested positive for the virus.  On June 19, Netsential suffered a data breach, during which DPS Fusion Center data was compromised.

Patient Notification

Although the breach happened in June, South Dakota residents impacted by the data theft weren’t notified until nearly two months later, with a letter dated August 17 from the Department of Public Safety.  One recipient, who anonymously sent her letter to the Rapid City Journal, said she didn’t even know her data was being used by DPS, and was surprised to learn about it, along with the breach.

The letter assures those affected by the breach that their data was only used to confirm cases in a given household, and that first responders were not given “a list of COVID-19 positive individuals”.  It also states that the site contained no “financial information, social security numbers, or internet passwords of any individuals”.

However, the letter confirms that the information “may continue to be available on various internet sites that link to files from the Netsential breach”.  Further, Netsential labels on the files could identify individuals as COVID-19 positive, even if viewed by a third party that shouldn’t have access to that information.

South Dakota law requires that Netsential is responsible for notifying those affected, but the company has yet to do so.  A statement on their website reports that the company has enhanced systems to prevent future threats, and says, “Netsential will continue to work with clients impacted by the intrusion.”

With both DPS and Netsential stating they will provide no further information, it’s anyone’s guess why it took two months for DPS to inform affected parties, why the media was never notified, and whether COVID-19 data is still being collected.  That said, the letter directs recipients to the South Dakota Attorney General’s Consumer Protection Division’s website for tips on identity protection, and offers additional information through the DPS Fusion Center.

If your North Dakota business is looking for help preventing data breach though compliant and certified ITAD services, contact the qualified professionals at SEAM today at 605-274-7326 (SEAM) or online to request a quote and learn more.