Microsoft Vulnerability Leaks COVID-19 Vaccination Records in TX County

September 02, 2021 - UPDATE 9/3/21: An updated total of 326,417 individuals were impacted by the Denton County breach, HHS' Office for Civil Rights data breach portal confirmed.

Denton County, Texas alerted its residents of a cybersecurity incident that resulted in hundreds of thousands of vaccination records being leaked due to a third-party application vulnerability. Original counts showed millions of records, but the county later determined that some of the records were duplicates.

The incident was just a small portion of a major Microsoft Power Apps breach that exposed a total of 38 million records containing personally identifiable information (PII), including those of Denton County residents.

Independent cybersecurity firm UpGuard discovered a vulnerability in Microsoft Power Apps that allowed private data to be publicly accessible. The vulnerability was a major design mishap that resulted in customers who had not enabled table permissions accidentally exposing information.

UpGuard notified Denton County of the breach on July 2nd, got in contact with the county’s IT department on July 7. The data was secured the same day.

“The significant lists included “msemr_appointmentemrset” which had 632,171 records including vaccination types, appointment dates and times, employee IDs, full names, email addresses, phone numbers, and data of birth,” UpGuard found.

“The list “contactVaccinationSet” had 400,091 records with fields for full names and vaccination types, and “contactset” had 253,844 records with full names and email addresses.”

Denton County later determined that some of the records were duplicates. The County immediately shut down the third-party application, which had been used at COVID-19 vaccination clinics across the county.

“The investigation confirmed that there was a configuration error on the third-party application that potentially exposed individual’s health information to anonymous public users. While The County has no evidence of actual or attempted misuse of any information, The County could not rule out the possibility of access to data present in the database,” Denton County’s statement explained.

“The County undertook a lengthy and labor-intensive process to identify the health information impacted in the database. The only health information potentially impacted was COVID-19 vaccination data. The County never collected social security numbers, driver license numbers, or financial account information.”

The exposed information may have included COVID-19 vaccination information, names, birthdates, emails, and phone numbers. Since the security incident, Denton County has worked with Microsoft to implement additional cybersecurity measures.

Although the county said it did not suspect any misconduct, it did warn impacted individuals to remain vigilant and review account statements for suspicious activity.

UpGuard’s discovery impacted a variety of organizations, including American Airlines, Maryland Department of Health, the state of Indiana, New York City Municipal Transportation Authority, and Ford. UpGuard notified all impacted organizations as soon as it discovered the vulnerability.

“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated,” the report explained.

As a result of the investigation, Microsoft enabled table permissions by default to avoid further vulnerabilities. In addition, Microsoft now provides customers with a self-diagnosis tool to detect potential data privacy issues.