Data leak prompts firefighter outcry
L.A. County union demands inquiry after vaccination records are posted.
The vaccination details of nearly 5,000 Los Angeles County Fire Department employees were posted online this week, prompting concerns about medical privacy and demands for an investigation by a major employee union.
The list of employees and their COVID-19 vaccination data was posted on a privately registered and since deactivated web domain — covid.lacofdems.com — that appears to have been connected to the department’s Emergency Medical Services bureau.
The website, whose registrant remains unclear, contained about 4,900 workers’ full names, birth dates, employee numbers and vaccination details, including shot dates, specific dose information and whether employees had declined an injection.
The Times discovered the release this week and captured the data before the site went down early Thursday night. An analysis revealed that about a quarter of the department’s workers — both firefighters and civilian employees — declined an initial dose earlier this year.
The records also revealed that younger workers were more likely to decline the vaccine. The average age of employees who declined was 40. The average age of those who accepted was 45. About a third of workers under 40 declined, the data show, while acceptance rates increased significantly for those in older age groups.
News that the information had been made public — perhaps by mistake — caused a furor among some firefighters who complained
on social media, prompting their union to call for an investigation.
“We have demanded a full investigation into the data breach of their personal medical information,” said Dave Gillotte, president of Local 1014, which represents the department’s firefighters.
The department declined to answer questions about the incident or whether the release might have violated laws designed to protect the privacy of personal medical information. It released a statement in response to inquiries about the incident. “We strive to safeguard our employees’ privacy, and therefore we are taking this matter very seriously,” the statement read.
The Times obtained an internal memo, issued by L.A. County Fire Chief Daryl Osby on Thursday, saying that the “unauthorized” website had been online since April “to allow Department employees to retrieve lost vaccination information.” The memo said fire officials told the county’s legal department and chief executive, and were following “cybersecurity incident response protocols.” The memo said the site “was removed” early Thursday morning but doesn’t detail more about its provenance. Osby did not challenge the accuracy of the data.
A Times review of information about the domain and a deeper probe into the site’s internet protocol address suggest it was being hosted by a department employee, and therefore not secured by government software or infrastructure.
Before it was taken down, the website’s main page allowed users to submit search queries for names and employee numbers to a database that contained all the workers’ vaccination-related information.
But the interface wasn’t password protected, and a “wildcard” search — one submitted without parameters — revealed all employees’ information in a spreadsheet-like table.
In addition, the website allowed users to select an individual worker to see specific dates for first and second doses, along with a code that revealed brands and specific batches of shots.
It also showed whether workers hadn’t yet received a second dose or had declined to take the vaccine altogether, revealing specific medical decisions that have become controversial in public safety workplaces and could violate the employees’ privacy.
Among those employees whose information was released on the site was Osby, although his birth date was redacted, unlike those of other department employees. He received his first dose Dec. 23 and the second on Jan. 19, according to the site.
An analysis of data captured by The Times reveals the vaccination disparities in the department, which obtained thousands of Moderna doses just before Christmas, when first responders became eligible to receive them.
The department required workers on duty to visit one of its vaccination sites over the winter in an effort to boost acceptance. Employees weren’t penalized for declining once at the site, and the department estimates that at least 70% of them agreed to be vaccinated — a rate that’s higher than in the state as a whole. Those who initially declined could still have been vaccinated later through private medical providers, like any other adult.
Clayton Kazan, the department’s medical director, declined to comment about the data disclosure and referred questions about the details to the department spokesman.
He said only that the department worked diligently to persuade some skeptical workers to accept the vaccine, designing a policy that required them to affirmatively decline if they didn’t want to accept a dose. The policy was intended to counter peer pressure in stations where vocal firefighters or supervisors might have increased vaccine hesitancy.
“Our group, my team, we blanketed people with videos and memos trying to dispel all the concerns,” he said. “I’m incredibly proud of my team.”
It remains unclear whether the disclosure would amount to a violation of the Health Insurance Portability and Accountability Act. The law establishes rules to protect individuals’ health privacy, and large-scale breaches can require medical providers to report details to the U.S. Department of Health and Human Services, which posts details about such incidents online.
“We have taken measures to remedy the situation,” according to the department’s statement, “but because this incident is currently under investigation, we are unable to provide further information.”