Stay Informed
of New Reports
Report Waste, Fraud
Abuse, Or Retaliation
Report Waste Fraud, Abuse, Or Retaliation

Audit of the Chicago Department of Public Health Covid-19 Contact Tracing Program: Data Privacy and Cybersecurity

Report Details

Report Description: 
The Office of Inspector General (OIG) conducted an audit of the data privacy and cybersecurity of the Chicago Department of Public Health’s (CDPH) COVID-19 contact tracing program. Contact tracing is a disease control strategy that involves identifying persons diagnosed with COVID-19 and their contacts, then working with these individuals to stop further transmission. CDPH developed an electronic case management tool to support the work of its COVID-19 contact tracing teams. The COVID-19 Assessment and Response Electronic System (CARES) is a cloud-based data system that allows contact tracers to gather, organize, and store information so the Department can provide support to persons diagnosed with the disease and interrupt the spread of the virus by notifying their close contacts . The objective of the audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the City of Chicago’s Information Security and Technology Policies (ISTP) and the United States Centers for Disease Control and Prevention (CDC) guidance. OIG concluded that CDPH’s COVID-19 contact tracing program mitigates data privacy and cybersecurity risks. Although certain improvements to policies and procedures would encourage consistent and timely application of the security measures, the Department’s efforts to safeguard data suggest that the public’s personal information will be protected. OIG found that the electronic case management tool, CARES, meets the cybersecurity and access control requirements of the City’s ISTP. However, CDPH did not consistently remove terminated users’ access to CARES within seven days, in accordance with ISTP timeliness standards. We found that training for contact tracers aligns with the City’s ISTP and includes several elements to develop awareness of data privacy and information security principles. We also found that contact tracers notify patients and contacts that their information will remain confidential and secure, and obtain consent before proceeding. However, contact tracers do not tell patients and contacts how long the City will retain their information. CDPH also has policies to mitigate risks when exchanging confidential information through electronic communication, and policies to designate persons responsible for approving data requests.
Date Issued: 
Thursday, April 29, 2021
Agency Reviewed / Investigated: 
Chicago, IL
United States
Cook County
Type of Report: 
Professional Standard: 
GAO's Yellow Book, Generally Accepted Government Auditing Standards (GAGAS)
Special Projects: 

Please note that contains links to documents hosted on various state and local government and other non-Federal Government websites (external websites). CIGIE proudly complies with section 508 accessibility regulations in the posting of Federal Government reports on; however, CIGIE cannot guarantee section 508 compliance (accessibility) on any external websites. Additionally, when clicking on links to external websites, users should be aware that doing so causes them to leave CIGIE’s website and to be subject to that external website’s privacy policy. Furthermore, CIGIE neither controls nor guarantees the accuracy, relevance, timeliness, or completeness of the information contained in external website links.