OIG Finds That the Chicago Department of Public Health’s COVID-19 Contact Tracing Program Addresses Data Privacy and Cybersecurity Risks

The Office of Inspector General (OIG) conducted an audit of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the City of Chicago’s Information Security and Technology Policies (ISTP) and the United States Centers for Disease Control and Prevention (CDC) guidance. Although certain improvements to policies and procedures would encourage consistent and timely application of the security measures, OIG found that CDPH’s contact tracing program mitigates data privacy and cybersecurity risks. Specifically, our findings show that,

  • The access controls for CDPH’s case management tool, known as the COVID-19 Assessment and Response Electronic System (CARES), meet the security requirements of the City’s ISTP and CDC guidance, as does training for contact tracers;
  • CDPH has policies to minimize risk when exchanging confidential information electronically, including policies that designate persons responsible for reviewing data requests; and
  • CARES prompts contact tracers to inform individuals that all information will be confidential and secure, and requires individuals’ consent to be recorded, but does not prompt notification of how long the City will store program participants’ information.

OIG recommended a few operational changes to help improve the Department’s program, such as adjusting its process for removing access to CARES to ensure it is completed within seven days of a user’s termination. CDPH should also update the contact tracers’ call script to inform patients and contacts how long the City will retain their data, and update its data release policy to include explicit criteria for staff to reference in determining whether to grant data requests. CDPH agreed with our recommendations and stated that it will incorporate employment status reviews into its weekly check-ins with the Chicago Cook Workforce Partnership and community-based organizations, create a data retention policy for CARES, update the call script, and create further criteria to help guide staff when reviewing data requests.

“Contact tracing will continue to play an integral part in tackling the current pandemic by helping to address and manage cases, in an effort to minimize exposure and transmission throughout Chicago. Our audit finds that CDPH’s COVID-19 contact tracing program displays a commitment to security, privacy, and confidentiality standards––all a matter of high concern and import in protecting public privacy during a global health crisis,” said Inspector General Joe Ferguson. “As part of its overall and ongoing work to protect communities from both disease transmission and cybersecurity risks, we encourage CDPH to continue to implement and update security needs as they develop.”

The full report can be found online at OIG’s website: bit.ly/CDPHContactTracing.

Follow @ChicagoOIG on Twitter and Facebook for the latest information on how OIG continues to fight waste, fraud, abuse, and inefficiency in Chicago government.


The mission of the independent and non-partisan City of Chicago Office of Inspector General (OIG) is to promote economy, effectiveness, efficiency, and integrity by identifying corruption, waste, and mismanagement in City government. OIG is a watchdog for the taxpayers of the City and has jurisdiction to conduct investigations and audits