Chicago Department of Public Health COVID-19 Contact Tracing Program: Data Privacy and Cybersecurity Audit Follow-Up

The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its April 2021 audit of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program’s data privacy and cybersecurity. CDPH developed an electronic case management tool called the COVID-19 Assessment and Response Electronic System (CARES) to support the work of its contact tracing teams. Based on the Department’s responses, OIG concludes that CDPH has fully implemented two of the three recommended corrective actions, and substantially implemented one.

The purpose of the 2021 audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the applicable City policies and federal guidelines. Our audit found that the Department’s COVID-19 contact tracing program mitigated data privacy and cybersecurity risks. Although improvements to policies and procedures could have encouraged consistent and timely application of the security measures, CDPH’s efforts to safeguard data suggested that personal information was nevertheless protected.

Based on the results of the audit, OIG recommended that CDPH,

  • adjust its process to ensure that terminated users’ access to CARES is removed within seven days of termination;
  • update the contact tracers’ call script to inform patients and contacts of how long CDPH will store their data; and
  • update its data release policy to include explicit criteria for determining whether to grant external data sharing requests.

In its response to the audit, CDPH described corrective actions it would take. CDPH stated that it would incorporate employment status reviews into its weekly check-ins, allowing the Department to promptly remove access for terminated employees and create a data retention policy and criteria for the review of data requests.

In July 2021, OIG inquired about corrective actions taken by CDPH in response to the audit. Based on the Department’s follow-up response, OIG concludes that CDPH has fully implemented two of the three recommended corrective actions and substantially implemented one. Specifically, CDPH,

  • implemented a process to receive weekly termination lists from community-based organizations (CBOs) that employ contact tracing staff, thus allowing CDPH to remove 92.1% of terminated employees’ access to CARES within 7 days of their terminations;
  • created an internal data retention policy and updated its CARES call script to inform contacts that their data will be retained for five years; and
  • updated its internal data release policy to include detailed guidance regarding which staff are responsible for handling external data requests, as well as explicit criteria and procedures for reviewing those requests.

Once fully implemented, OIG believes the corrective actions may reasonably be expected to resolve the core findings noted in the audit. CDPH should continue to improve the process for removing CARES access for terminated employees and ensure that access is removed within seven days for 100% of terminated employees.