This record contains private information, which has been redacted from public viewing.
Record #: F2021-94   
Type: Report Status: Placed on File
Intro date: 12/15/2021 Current Controlling Legislative Body:
Final action: 12/15/2021
Title: Inspector General's follow-up to audit on Chicago Department of Health COVID-19 contact tracing program
Sponsors: Dept./Agency
Topic: CITY DEPARTMENTS/AGENCIES - Inspector General, - REPORTS - Miscellaneous
Attachments: 1. F2021-94.pdf



DE(§EMBER-2021



WILLIAM MARBACK INTERIM INSPECTOR GENERAL
CITY OF CHICAGO OFFICE OF INSPECTOR GENERAL 740 NORTH SEDGWICK STREET, SUITE 200 CHICAGO, ILLINOIS 60654 TELEPHONE: (773) 478-7799 FAX: (773) 478-3949
DECEMBER 2, 2021
TO THE MAYOR, CITY COUNCIL, CITY CLERK, CITY TREASURER, AND COMMUNITY MEMBERS OF THE CITY OF CHICAGO:
The City of Chicago Office of Inspector General (OIG) has completed a follow-up to its April 2021 audit ofthe Chicago Department of Public Health's (CDPH) COVID-19 contact tracing program's data privacy and cybersecurity.1 CDPH developed an electronic case management tool called the COVID-19 Assessment and Response Electronic System (CARES) to support the work of its contact tracing teams.2 Based on the Department's responses, OIG concludes that CDPH has fully implemented two ofthe three recommended corrective actions, and substantially implemented one.

The purpose ofthe 2021 audit was to determine if CDPH managed privacy and cybersecurity risks associated with the collection, storage, and transmittal of COVID-19 contact tracing data in accordance with the applicable City policies3 and federal guidelines.4 Our audit found that the Department's COVID-19 contact tracing program mitigated data privacy and cybersecurity risks. Although improvements to policies and procedures could have encouraged consistent and timely application ofthe security measures, CDPH's efforts to safeguard data suggested that personal information was nevertheless protected.

Based on the results ofthe audit, OIG recommended that CDPH,

adjust its process to ensure that terminated users' access to CARES is removed within seven days of termination;
update the contact tracers' call script to inform patients and contacts of how long CDPH will store their data; and
|109|Contact tracing is the disease control strategy of identifying persons diagnosed with a disease and their contacts, then working with these individuals to interrupt further transmission.|109|CARES is a c...

Click here for full text