Audit of the Chicago Department of Public Health Covid-19 Contact Tracing Program: Data Privacy and Cybersecurity

The Office of Inspector General (OIG) conducted an audit of the data privacy and cybersecurity of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program. Contact tracing is a disease control strategy that involves identifying persons diagnosed with COVID-19 and their contacts, then working with these individuals to stop further transmission. CDPH developed an electronic case management tool to support the work of its COVID-19 contact tracing teams. The COVID-19 Assessment and Response Electronic System (CARES) is a cloud-based data system that allows contact tracers to gather, organize, and store information so the Department can provide support to persons diagnosed with the disease and interrupt the spread of the virus by notifying their close contacts . The objective of the audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the City of Chicago’s Information Security and Technology Policies (ISTP) and the United States Centers for Disease Control and Prevention (CDC) guidance. OIG concluded that CDPH’s COVID-19 contact tracing program mitigates data privacy and cybersecurity risks. Although certain improvements to policies and procedures would encourage consistent and timely application of the security measures, the Department’s efforts to safeguard data suggest that the public’s personal information will be protected. OIG found that the electronic case management tool, CARES, meets the cybersecurity and access control requirements of the City’s ISTP. However, CDPH did not consistently remove terminated users’ access to CARES within seven days, in accordance with ISTP timeliness standards. We found that training for contact tracers aligns with the City’s ISTP and includes several elements to develop awareness of data privacy and information security principles. We also found that contact tracers notify patients and contacts that their information will remain confidential and secure, and obtain consent before proceeding. However, contact tracers do not tell patients and contacts how long the City will retain their information. CDPH also has policies to mitigate risks when exchanging confidential information through electronic communication, and policies to designate persons responsible for approving data requests.