Security lapse exposes hundreds of addresses of Minnesotans infected with COVID-19

[anvplayer video=”4966555″ station=”998122″]

In April, Gov. Tim Walz signed an executive order allowing the Minnesota Department of Health and the Minnesota Department of Public Safety to share addresses of COVID-19 patients with first responders across Minnesota.

The governor imposed strict guidelines for sharing those addresses to protect the identity of Minnesotans with COVID-19. MDH and DPS also set up protocols that required the addresses be sent via encrypted emails and only to the 911 dispatch centers close to where the patients lived.

But 5 EYEWITNESS NEWS obtained internal city and state documents which show there have been numerous times, starting in August, where those protocols were not followed and the privacy of addresses of COVID-19 patients was compromised.

In a letter from the Minneapolis City Attorney’s Office to MDH Commissioner Jan Malcolm and DPS Commissioner John Harrington, there were serious warnings and examples of the data breach.

The letter was sent Thursday, Sept. 24.

In the letter, it stated, "Instead of the City of Minneapolis receiving only addresses in Minneapolis, it has been receiving addresses for what appears to be entire state since Aug. 18, 2020."

Full KSTP COVID-19 coverage

It also said "In Sept., emails were sent to 193 recipients," which appear to be every 911 dispatch center in the state.

The day after the letter was sent, DPS sent an email to every 911 dispatch center in the state which said, "MDH is pausing providing ECN with residential and long-term addresses and remove lists to allow time to review and assess the resource needs of this activity."

State Representative, Peggy Scott, (R) Andover, told KSTP the breach is a "very serious matter, because anything the government holds about us is no more important than our health information."

"It seems to me to be, at the very least, a lot of carelessness," Scott said. "Hundreds of Minnesotans, or more, with COVID-19 have had their addresses and potentially their identities exposed because of this mistake by either MDH, DPS, or both."

Scott sits on the House Judiciary, Civil Law and Data Practices Committee and said there needs to be an audit to find out what went wrong in the process and how to fix it.

"There is no question there needs to be an audit, either a DPS internal audit, or possibly an external audit," Scott said. "We need to hold someone accountable for this, and then we have to make sure every COVID patient who had their address and privacy compromised needs to be notified by the state because that is the law."

KSTP reached out to MDH and DPS for a response but has not yet received any comment.