RAPID CITY, S.D. (AP) — The FBI is investigating a data breach that may have compromised the identity of people with the COVID-19 virus in South Dakota.
Paul Niedringhaus, who directs the South Dakota Fusion Center that handles emergency calls, sent a letter to people who may have been affected by the June 19 breach, the Rapid City Journal reported Friday.
The letter, dated Monday, says the state’s fusion center used Netsential.com’s services to build a secure online portal this spring to help first responders identify people who had tested positive for the coronavirus so they could take precautions while responding to emergency calls.
The South Dakota letter said police in the state weren’t given names but could call a dispatcher to verify positive cases. Houston-based Netsential added labels to the files that might allow a third-party to identify patients, the letter said, and the breach could have compromised people’s names, addresses and virus status.
“This information may continue to be available on various internet sites that link to files from the Netsential breach,” the letter said.
Netsential hosted the websites of more than 200 U.S., law enforcement agencies, most of them fusion centers like the South Dakota one affected. The company confirmed in June that its server had been breached.
The server was the source for a trove of files, dubbed BlueLeaks, that were shared online by a transparency collective called DDoSecrets. The collective said it had obtained them from a hacker who said they were sympathetic to anti-racism protesters.
South Dakota Department of Public Safety spokesman Tony Mangan confirmed to The Associated Press in a short telephone interview that the FBI was investigating but had no further comment. A message left Friday at the FBI’s Minneapolis office wasn’t immediately returned.
The letter from the state agency said the files didn’t include any financial information, Social Security numbers or passwords.
Public officials in at least two-thirds of states share addresses of people who have tested positive with first responders, including police, firefighters and EMTs. An Associated Press review in May found at least 10 states also share patients’ names.
Some states erase the information after a certain period. Still, civil liberties groups have warned that sharing such information could lead to racial profiling of Blacks and Hispanics or help immigration officials track people down.
This story has been updated to correct Paul Niedringhaus’ title. He is the director of the South Dakota Fusion Center, not the South Dakota Department of Public Safety.