South Dakotans whose COVID-19 status and other personal information was collected by state agencies may be subject to a data breach that is under federal investigation.
The Department of Public Safety sent out letters dated Aug. 17 to people who may have been affected by the June 19 information breach that targeted the DPS Fusion Center database used to share COVID-19 patient names and addresses to local law enforcement. DPS received the data from the Department of Health.
The Journal learned about the breach after a South Dakota woman sent her letter to the Journal.
The woman — who the Journal agreed to let be anonymous since she's afraid her identity could be stolen — said she thought the DPS letter was going to be a traffic ticket, not a letter saying her name, address, date of birth and COVID-19 status may have been shared with others.
"They didn't tell us that they were using our information, that the Department of Public Safety was using our information in the first place. And now they're telling us that the whole system they were using was breached and my information has been compromised," she said. "I just feel like it's added stress to an already delicate situation" for people who have the virus or have recovered.
The database was hosted on servers from third-party Netsential.com, Inc., a web development firm used by fusion centers and law enforcement across the nation, according to Paul Niedringhaus, director of the Fusion Center.
“This information may continue to be available on various internet sites that link to files from the Netsential breach,” he wrote. “The list did not include any financial information, social security numbers, or internet passwords of any individuals.”
The letter says DPS Fusion Center used Netsential’s services to develop an online portal to help first responders be safe while responding to calls. First responders did not receive a list of COVID-19-positive individuals, but could call a dispatcher to find out if someone in the house had the virus.
It also says the information was restricted to “a select number of South Dakota officials who received both training in handling the data and an individual password for accessing it.” If the information was accessed outside the online portal, individual health information wouldn’t be shared.
But Netsential added labels to the file that could allow a third party to identify a COVID-19 status if it were removed from the system, the letter says.
The Journal asked DPS if it's still collecting COVID-19 patient information ,why it waited two months to alert patients about the breach, why it didn't tell the media about the breach, and other questions.
“The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further,” DPS spokesman Tony Mangan responded.
People who received the letter are encouraged to take precautions to secure their information and to visit a website called “South Dakota Consumer Protection” from the Office of the Attorney General. The website discusses identity theft, ways information can be accessed and how to keep information secure. It also lists steps to take if someone’s information is accessed in a security breach.
The letter also says people can visit sdfusion.org/notification to receive answers about the breach.
According to South Dakota law, Netsential needs to notify those possibly affected by the breach, the letter says. But the company hasn't confirmed it would do so, so DPS decided to alert people on its own.
Sending this letter doesn't mean the Fusion Center or DPS "accepts legal responsibility for any claim that may arise from Netsential's breach," Niedringhaus wrote.
The FBI was not immediately available for comment.