Residents of South Dakota recently received a letter from the Department of Public Safety stating that they may have been affected by an information data breach on July 19 that targeted the DPS Fusion Center database used to share COVID-19 patient names and addresses with law enforcement officials.

A local South Dakotan, who wants to remain anonymous, sent the letter she received to a local news outlet when she realized that her personal information was possibly compromised, and her medical history shared with others.

When the Rapid City Journal reached out for comments on the situation, the anonymous woman stated, “They didn’t tell us that they were using our information, that the Department of Public Safety was using our information in the first place. And now they’re telling us that the whole system they were using was breached and my information has been compromised. I just feel like it’s added stress to an already delicate situation.”

The DPS Fusion Center used Netsential.com, Inc., an IT and web development firm used by other fusion centers and law enforcement agencies across the country. The letter states that DPS used Netsential to develop an online portal to protect first responders while responding to calls. While they did not receive a list of COVID-19 positive individuals, they could call a dispatcher to determine if someone in the household had tested positive.

The letter also said that the information was “restricted to a select number of South Dakota officials who received both training in handling the data and an individual password for accessing it.” The root cause of the breach was that Netsential added labels to the individual’s files that allowed third parties to identify COVID status even if it was removed from the system.

When asked why the DPS waited two months before alerting patients about the data breach and if they are still collecting patient information, a DPS spokesman responded, “The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further.”

According to South Dakota law, Netsential is required to notify those affected by the breach, but they have not confirmed they would do so, which led DPS to take responsibility in alerting people.