OIG Follow-Up Finds That the Chicago Department of Public Health Has Implemented Operational Changes to Its COVID-19 Contact Tracing Program Regarding Privacy and Cybersecurity

The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its April 2021 audit of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program’s data privacy and cybersecurity. CDPH developed an electronic case management tool called the COVID-19 Assessment and Response Electronic System (CARES) to support the work of its contact tracing teams. Based on the Department’s responses, OIG concludes that CDPH has fully implemented two of the three recommended corrective actions and substantially implemented one.

Our April 2021 audit determined that CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the City of Chicago’s Information Security and Technology Policies. OIG also determined that CDPH had policies in place to minimize risk when exchanging confidential information electronically. However, while CARES prompted contact tracers to inform individuals that all information will be confidential and secure, and required individuals’ consent to be recorded, it did not prompt notification of how long the City would store participants’ information.

OIG made recommendations to help improve the Department’s program concerning any potential data and cybersecurity risks. Specifically, OIG recommended that CDPH adjust its process for removing access to CARES to ensure it is completed within seven days of a user’s termination; update the call script to inform patients and contacts how long the City will retain their data; and update its data release policy to include criteria for staff to reference when determining whether to grant data requests. CDPH agreed with our recommendations and stated that it would implement the suggestions OIG had outlined, such as updating policies and procedures.

In July 2021, OIG inquired about corrective actions taken by CDPH in response to the audit. Based on the Department’s follow-up response, OIG concludes that CDPH has: created an internal data retention policy; updated its CARES call script to inform contacts that their data will be retained for five years; updated its internal data release policy with detailed guidance for staff regarding external data requests; and implemented a process to receive weekly termination lists from community-based organizations that employ contact tracing staff, thus allowing CDPH to remove 92.1% of terminated employees’ access to CARES within 7 days of termination.

“The Chicago Department of Public Health has been detailed and thorough about its contact tracing program throughout the pandemic, meeting City standards and federal guidance to ensure that participants’ information is safe and secure,” said Interim Inspector General William Marback. “With full implementation of two of the three OIG recommendations, CDPH is well on its way to resolving the issues first noted in our April 2021 audit.”

The follow-up report can be found on OIG’s website.

Follow @ChicagoOIG on Twitter and Facebook for the latest information on how OIG continues to fight waste, fraud, abuse, and inefficiency in Chicago government.

###

The mission of the independent and non-partisan City of Chicago Office of Inspector General (OIG) is to promote economy, effectiveness, efficiency, and integrity by identifying corruption, waste, and mismanagement in City government. OIG is a watchdog for the taxpayers of the City and has jurisdiction to conduct investigations and audits into most aspects of City government. If you see corruption, fraud, or waste of any kind, we need to hear from you. For more information, visit our website at: www.igchicago.org.