Medical information included in leak after third-party compromise
The personal data of an unknown number of victims of sexual assault has been exposed following a breach at Oklahoma-based DNA Solutions.
The laboratory processed DNA evidence from rape victims, known as ‘rape kits’, for the Oklahoma City Police Department (OKCPD), amongst other clients, over a two-year period. The breach is said to have taken place last November.
“The Oklahoma City Police Department was recently made aware that a company that had performed forensic testing for the department suffered a network security incident,” captain Valerie Littlejohn of the OKCPD told The Daily Swig.
“DNA Solutions Inc. determined that an unauthorized third party accessed their network and may have compromised certain sensitive personal and health related information from sexual assault kits sent to them for forensic testing.”
Littlejohn added that the department no longer has a contract with the company.
The number of people affected isn’t known, but the OKCPD says it has written to everybody who supplied a rape kit to DNA Solutions at any time.
DNA Solutions blames the breach on an unnamed third-party software.
“On November 18, 2021, our team detected and stopped a network security incident, immediately secured the network environment, and engaged cybersecurity experts to conduct a comprehensive investigation into the extent of the unauthorized activity.
“During this time, we also notified federal law enforcement about the incident,” the company told The Daily Swig in a statement.
“The investigation determined an unauthorized party accessed the network through an unknown vulnerability in a third-party software provider’s platform and may have compromised certain personal and medical information.”
The data is believed to include medical information but did not, says the company, include social security numbers, driver’s license information, or financial information.
Nevertheless, says the company, those people potentially affected should enrol in the credit monitoring and identity protection services that it is being offered free of charge.
DNA Solutions says it has also notified all those who may have been affected by the breach.
“Protecting data is a responsibility we approach with the utmost seriousness, and we are committed to safeguarding against future threats,” the company says.