Cyber Incident Victim: Pitkin County

On December 14, 2020, Pitkin County, Colorado, discovered potential unauthorized access to a file containing COVID-19 case investigation and contact tracing data. An investigation revealed the file had been inadvertently accessible online from October 1, 2020, until its discovery date—a 75-day exposure period. The county immediately secured the file to block internet access upon identification. No evidence emerged suggesting misuse of the exposed information. The compromised data included personally identifiable health details such as names, addresses, dates of birth, employers, school or childcare facility names, underlying health conditions, test types, unique identifiers, symptom descriptions, symptom onset dates, and flu vaccination status with vaccine types. Notably absent were Social Security numbers and financial data. The incident did not involve Pitkin County's contract tracing personnel or their operational protocols for disease control.

Pitkin County implemented multiple containment measures following the breach discovery. Remediation efforts focused on securing the exposed file and enhancing data protection processes. The county initiated policy and procedure reviews to strengthen information security frameworks. Regulatory compliance actions included planned notifications to relevant state and federal authorities. Affected individuals received offers for twelve months of complimentary credit monitoring and identity restoration services through ID Experts, despite no detected misuse. The county established a dedicated toll-free hotline (1-833-226-4422) and email address ([email protected]) for public inquiries. Public statements emphasized the county's commitment to information security while clarifying the breach's isolation from active pandemic response operations.