Oakland County COVID-19 data exposed in leak

Mark Hicks
The Detroit News

Internal COVID-19 data used by the Oakland County health department was briefly exposed during a leak, officials reported Thursday.

The information was shared on the WeChat application between 7 p.m. Tuesday and 8 a.m. Wednesday, when administrators secured it, the county said in a statement.

The leak involved a non-public map "unintentionally marked as public during a recent upload" that included COVID-19 positive case information such as gender, race, age, address, and mortality status, according to the release. It did not include name, Social Security number or any other health information. 

“Information security, especially around data critical to Health Division’s analysis during this pandemic, is of vital importance to the IT Department,” said Mike Timm, Oakland County’s director of information technology. “We are taking additional precautions going forward including no longer sharing internal GIS data by link but rather within our own private environment.”

An investigation determined the exposure peaked at 10 p.m. Tuesday and declined by midnight, while individual access to the GIS URL appeared to have been limited to fewer than 100 WeChat users, although some could also be duplicates, the county said.

There was no evidence the URL was shared outside WeChat and it is no longer available in the application, investigators said.

“We are grateful to the WeChat users who reported the inappropriate use of this information to our department immediately,” Timm said.

Through Thursday morning, the county website reported nearly 5,800 COVID-19 cases and about 420 deaths.