[BreachExchange] Public Health Records Exposed in Denton County, Texas, Breach

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Sep 1 08:40:57 EDT 2021


https://www.govtech.com/news/public-health-records-exposed-in-denton-county-texas-breach

Hundreds of thousands of public health records, including COVID-19
vaccination details, were exposed in a data breach that was linked to an
app that is used at Denton County vaccine clinics, officials say.

A malfunction in the third-party software revealed contact and identifying
information, as well as COVID-19 vaccination types and appointment dates
and times, on the internet, officials said in a written notification that
was sent to people who were affected.

The county learned of the breach in early July and discontinued use of the
app at vaccine clinics until the malfunction was resolved. The county said
it has resumed using the app.

It is unclear how many people were affected, but 1,286,106 records were
exposed, according to a report from UpGuard Research, a cybersecurity firm
that first notified Microsoft of the problem. However, Denton County said
Monday evening that the actual number of records involved, after duplicates
were eliminated, was 326,415.

In the notification, the county said it was not aware of any instances that
the information was “misused,” but it advised anyone whose information was
affected to be vigilant against fraudulent activity.

“There is no indication that this vulnerability was exploited, nor is there
evidence that any data has been misused,” a county spokeswoman said.

The malfunction in the app, which was operated by Microsoft, was
responsible for revealing 38 million records from 47 entities that use the
software, UpGuard Research said.

Governmental agencies in Indiana, Maryland and New York and private
businesses including Ford, American Airlines and J.B. Hunt were also
affected. The unsecured data from companies included employee contact
information, drug testing information and Social Security numbers.

Denton County said it never collected Social Security or driver’s license
numbers or financial account information.

UpGuard Research said in a written statement that it notified Denton County
officials of the breach July 7 and that the data was secured the same day.

Microsoft said in a written statement that it takes “security and privacy
seriously” and encouraged its users to “use best practices” for internet
privacy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210901/0cb7d0e0/attachment.html>


More information about the BreachExchange mailing list