Chicago Department of Public Health COVID-19 Contact Tracing Program: Data Privacy and Cybersecurity Audit Follow-Up

Executive Summary

The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its April 2021 audit of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program’s data privacy and cybersecurity. CDPH developed an electronic case management tool called the COVID-19 Assessment and Response Electronic System (CARES) to support the work of its contact tracing teams. Based on the Department’s responses, OIG concludes that CDPH has fully implemented two of the three recommended corrective actions, and substantially implemented one.

The purpose of the 2021 audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the applicable City policies and federal guidelines. Our audit found that the Department’s COVID-19 contact tracing program mitigated data privacy and cybersecurity risks. Although improvements to policies and procedures could have encouraged consistent and timely application of the security measures, CDPH’s efforts to safeguard data suggested that personal information was nevertheless protected.