Illinois Health Department Data Breaches Impact Over 24K Patients

August 02, 2021 - The Lake County Health Department and Community Health Center (LCHD) is notifying individuals about two data breaches.  

According to press releases on the two separate incidents, the Illinois department started notifying individuals on July 2 and July 9.  

The first breach involves COVID-19 vaccination status that was gathered and stored in a Google Drive, according to the first release. 

“The Lake County Health Department and Community Health Center (LCHD) is notifying more than 700 individuals that their name was included in a document stored in an unencrypted drive in May 2021,” the release states. “On May 14, 2021 it was discovered that information was shared between LCHD/CHC staff and volunteers in our COVID-19 Contact Center using a shared Google sheet saved on the volunteer’s private Google drive.”  

The information shared included names, dates of birth, phone numbers, email addresses, and COVID-19 vaccination status that was gathered via phone in April 2021, the release notes.  

“We have no indication that the information has been inappropriately used by anyone,” it states. “We took prompt action to ensure the spreadsheet was moved to a secure data storage location.” 

The Google document did not contain Social Security numbers, financial information, treatment dates, test results or any medical history, according to the notice. 

In the second incident, LCHD is “notifying more than 24,000 patients that their name(s) (were) included in an attached spreadsheet in an unencrypted email sent to an internal employee’s personal email address in July 2019,” according to the separate notice.  

The spreadsheet contained medical records requests from December 2016 and June 2019, made through a third-party vendor, according to the notice.  

“The information in the spreadsheet consisted of numbers and dates relevant only to the vendor along with a name. The spreadsheet did not contain date of birth, Social Security number, financial information, address, treatment dates, test results, or any other medical history details. We have no indication that the information has been inappropriately used,” the statement notes.  

LCHD reported the incident to the US Department of Health and Human Services, and noted the breach contained no protected health information or personally identifiable information, the release states.  

“Since only names were shared via this file and the remaining information does not contain PHI or PII, we have no indication that the information has been inappropriately used,” the notice states.  

Any individual with questions or concerns can call the privacy officer at 855-856-1262.  

“The Lake County Health Department is committed to providing quality care, including protecting personal information, and we want to assure those affected that we have policies and procedures to protect your privacy,” the statement notes.  

“We have taken action to assure that additional safeguards are in place to prevent similar occurrences in the future such as auto encryption of emails sent outside the lakecountyil.gov domain,” it concludes.