The Office of Inspector General (OIG) conducted an audit of the data privacy and cybersecurity of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program. Contact tracing is a disease control strategy that involves identifying persons diagnosed with COVID-19 and their contacts, then working with these individuals to stop further transmission. CDPH developed an electronic case management tool to support the work of its COVID-19 contact tracing teams. The COVID-19 Assessment and Response Electronic System (CARES) is a cloud-based data system that allows contact tracers to gather, organize, and store information so the Department can provide support to persons diagnosed with the disease and interrupt the spread of the virus by notifying their close contacts .
The objective of the audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the City of Chicago’s Information Security and Technology Policies (ISTP) and the United States Centers for Disease Control and Prevention (CDC) guidance.
OIG concluded that CDPH’s COVID-19 contact tracing program mitigates data privacy and cybersecurity risks. Although certain improvements to policies and procedures would encourage consistent and timely application of the security measures, the Department’s efforts to safeguard data suggest that the public’s personal information will be protected.
OIG found that the electronic case management tool, CARES, meets the cybersecurity and access control requirements of the City’s ISTP. However, CDPH did not consistently remove terminated users’ access to CARES within seven days, in accordance with ISTP timeliness standards. We found that training for contact tracers aligns with the City’s ISTP and includes several elements to develop awareness of data privacy and information security principles. We also found that contact tracers notify patients and contacts that their information will remain confidential and secure, and obtain consent before proceeding. However, contact tracers do not tell patients and contacts how long the City will retain their information. CDPH also has policies to mitigate risks when exchanging confidential information through electronic communication, and policies to designate persons responsible for approving data requests.
OIG recommends that CDPH adjust its process to ensure that terminated users’ access to CARES is removed within seven days of termination. CDPH should also update the contact tracers’ call script to inform patients and contacts of how long their data will be stored by the Department. Finally, CDPH should update its data release policy to include explicit criteria for staff to reference in determining whether to grant data requests.
In response to our audit finding and recommendations, CDPH stated that it will incorporate employment status reviews into its weekly check-ins with the Chicago Cook Workforce Partnership and community-based organizations that employ the contact tracers, which the Department believes will allow it to promptly remove access to the system for terminated employees. The Department also stated that it will create a data retention policy for CARES and will update the call script so that staff inform interviewees how long their data will be retained. Finally, CDPH stated that it will create criteria to help guide staff when reviewing data requests.