Jefferson County Public Health exposed sensitive patient data to worldwide view for three years due to accidental misconfiguration of its Tableau visual analytics platform hosted in the cloud and offered on its website.

This breach of confidential patient information offers lessons on the insecurity of cloud data storage, even as the City of Port Townsend just migrated its finances to a Tableau-integrated cloud system.

Perhaps more significantly, it also exposes some of the ways Public Health may be promoting false narratives by withholding, distorting, and cherry-picking its data disclosures.

 

How County Patient Data Was Exposed in the Cloud

Throughout much of the lockdown era, Jefferson Public Health maintained COVID-19 Updates on its website:

 

 

The updates regularly posted charts showing county COVID-19 case rates, hospitalizations, and deaths, generated by Tableau software based on COVID-19 patient details uploaded to the cloud by Public Health:

 

 

These charts included a Tableau menu bar in the bottom-right corners.  Hovering the cursor over the down-arrow-box icon offered a live option to “Download” the underlying patient data in various file formats:

 

 

Tableau offered access to confidential patient data and case information either using its web app or downloaded as a “Tableau Workbook” for later offline study using its free-trial Tableau Public desktop app:

 

 

Here is what one of these Public Health charts looked like when opened as a Workbook inside the Tableau app:

 

 

… along with an easier-to-read zoomed version:

 

 

Underlying each chart are tables filled with private patient data in dozens of categories including First/Last Name, Admit/Discharge/Death Date, Age Group, Health Conditions, Vaccination Status, and Case Notes, accessible simply by right-clicking on a chart and selecting “View Data”:

 

 

Finally, here is a Tableau table showing specific examples of the private patient data that Public Health exposed on the internet about county deaths involving COVID-19:

 

 

Note that I redacted this screenshot to block out identifying information such as names to preserve anonymity, but other details are shown to allow verification and indicate the nature and scope of the data leak.

This table represents only a small part of the patient data that Public Health exposed to the web via multiple insecure Tableau charts uploaded throughout 2022.  Such data is required to be kept private according to HIPAA Privacy Rules, but Public Health assumed was safe to store in the cloud.

None of this data was obtained by “hacking” or any nefarious activity. Instead, a sharp-eyed Port Townsend Free Press reader stumbled on the “Download” invitations beneath Jefferson Public Health web charts, followed the instructions provided by Tableau, and discovered the trove of patient data being freely offered to all comers.

This reader contacted me, then I verified the information and took the above screenshots back in 2022 for possible use in future stories.

 

Was Jefferson Public Health Alone in its Data Leak?

Tableau pioneered “visualizing a pandemic defined by data” so was adopted by many county and state Public Health websites to provide a scientific-seeming veneer for their propaganda messaging (as documented October 23 by Congress).

 

 

In late 2022 when I surveyed various northwest health department Tableau-based websites, I noticed that some — like Oregon Health Authority — excluded access to underlying chart data, instead just allowing the charts themselves to be downloaded in various formats such as an “Image” or “PDF”:

 

 

Others were similar to Jefferson County Public Health in that they enabled “Download” access to their underlying data.  For example, Clark County Public Health likewise allowed anyone in the world to dive deeply into its COVID-19 case and death numbers:

 

 

Similarly, Washington State Department of Health webpages continue to this day to enable free access to underlying “Data” via the “Download” icon on its Tableau menu bars:

 

 

Where Washington State, Clark County, and other Public Health departments differ from Jefferson County is that they were prudent enough to upload only anonymous general statistical data to the cloud.

By contrast, Jefferson County Public Health was the only one I found shoveling easily-identifiable confidential patient data to the cloud — complete with names, dates, health conditions, case notes, pretty much everything. By doing so, it is potentially subject to HIPAA penalties for its negligent practices and risk assessment failures.

——————————————-

——————————————-

 

Along these lines, when Jefferson Healthcare received a Public Records Request (PRR) about the vaccination status of a county COVID-19 death, it refused the request on April 27, 2021 “because the individual could be identified from the information and is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) patient privacy laws.”

Then when a follow-up PRR asked for unidentifiable death statistics instead, Jefferson Healthcare pivoted on May 6, 2021 replying: “We have checked with our data analyst team and they report that we do not have reports or documents/records that would address the information you have requested above.” That claim is disingenuous given there were then only three such deaths, so it would have taken their “data analyst team” just a few minutes to provide the requested information.

Public Health proceeded to keep unidentifiable data about COVID-19 cases under wraps on privacy pretexts, even while negligently spilling identifiable data to the cloud and cherry-picking data in media and meeting statements to spin prejudicial vaccination narratives.

For example, at a County Commissioners meeting on December 13, 2021, Public Health Officer Dr. Allison Berry had it both ways saying she “can’t confirm or deny any individual patient’s experience” due to “very stringent rules around patient privacy,” but went on to claim “what we do know” is that the “long-term disability” experienced by an individual patient is “truly false” — gaslighting a 27-year-old Port Townsend resident who had gone on record with documentary evidence from Virginia Mason that she had two heart attacks and 70% loss of function caused by COVID-19 vaccination.

 

Jefferson Data Continued to Leak for Three Years Until Today

When public health departments around the country stopped updating their data dashboards in early 2023, Jefferson County likewise stopped updating its COVID-19 data charts, then removed them from county webpages soon afterwards.  So I assumed its year of spilling patient data was a thing of the past and water under the bridge, no longer an ongoing HIPAA violation of patient privacy.

But while wrapping up this story, I was surprised to learn at least ten of Jefferson Public Health’s Tableau charts were still live and leaking until the present day on the county’s cloud repository at public.tableau.com for anybody to “download or make a copy for inspiration”:

 

 

Patient data updated April 19, 2023 was still offered for download as a “Tableau Workbook” for offline study using the free Tableau Public trial app.  My app from 2022 opened the data immediately despite being unused for over two years and its trial period long expired:

 

 

Moreover, patient data was still exposed to viewing on the web even without the Tableau Public app, just by clicking the upper-right “Make a copy” icon, signing into a free Tableau account, and right-clicking “View Data” on any chart:

 

Same as in 2022, Tableau’s county cloud repository offered a choice of what personal patient data fields to show, including “Sex at birth,” “ZIP code or Tribe,” and a new category “Vaccination status simple” introduced by Public Health to obscure the large number of so-called breakthrough infections by reclassifying vaccinated and boosted individuals as “Not up to date”:

Jefferson County Public Health was informed about its data-leaking web charts so they could be removed from Tableau’s cloud repository prior to this article’s publication. Now that future risk has been removed, hopefully the above historical explanations will serve as a salutary warning for Tableau webmasters about what not to do.

 

Data Leak Raises Questions about Public Health Messaging

Along with cautionary lessons about cloud storage risks, this leak also opened a revealing window into the questionable data sources that Public Health has used to justify its narrative that COVID-19 is “a pandemic of the unvaccinated.”

 

 

Compare that CDC messaging, promoted by Public Health, to the reality of Jefferson County COVID-19 deaths age 65 or older revealed in this anonymized summary (from the leaked Tableau screenshot of county deaths as of April 19, 2023):

 

The Vaccination Status was “None” for only seven out of the 30 county COVID-19 deaths in this dataset.  The other 77% were fully vaccinated or boosted or twice boosted, but hardly protected from infection, hospitalization, and death.

Note that two of the unvaccinated deaths were in 2020 before vaccines were available, while the other five “None” deaths might NOT actually have been unvaccinated, since Public Health may mark Vaccination Status as “None” if:

1. Vaccination took place in a pharmacy, supermarket, or other location not sharing records with Jefferson Healthcare;

2. Death took place during the typical 3 to 8 week wait between first and second vaccinations before “Primary Series Completed”;

3. Death took place within 2 weeks after the second vaccination to give “the body time to establish a strong immune response after the second dose.”

These statistical shell games also apply to the seven county COVID-19 deaths aged 55 to 64, only one of whom had “Primary Series Completed,” since it is unknown how many of the other six deaths were vaccinated one or more times in ways that Public Health has chosen not to count.

Another point to note about the leaked age 65+ dataset is that 23 out of 29 (not counting one death marked “Unknown”) were known to have serious Health Conditions including cancer, heart disease, kidney disease, and diabetes.

That 23 includes two of the “Unvaccinated” misidentified as “Null” under Health Conditions, whereas one was chronically ill in hospice and the other was hospitalized for multiple serious comorbidities and surgical complications unrelated to COVID-19. The other six “Null” deaths also likely had various health conditions judging from their case notes.

Given their precarious conditions, an unknown number may not actually have died “from” COVID-19, instead merely “with” a COVID-19 diagnosis stemming from an unreliable PCR test result. For example, the case notes say one of these supposed COVID-19 deaths actually “died of cancer. Hx heart block, chronic resp. failure.”

According to the CDC, 95% of COVID-19 deaths involve an average of four other serious comorbidities.

——————————————-

——————————————-

 

So nearly all the county’s supposed COVID-19 deaths age 65+ were likely suffering from an average of four other serious health conditions that might really have killed them.

And at least 77% of them received multiple vaccine injections — increasingly a pandemic of the vaccinated as the last 8 deaths in the leaked data (from May 2022 to April 2023) were vaccinated, including one boosted and two boosted twice:

 

 

 

That’s a very different picture than what Public Health messaging represented to the public, categorizing all but three of these 30 deaths simply as “Not up to date” or “Unvaccinated” to justify deadly lockdowns, mandates, endless boosters, and vaccine discrimination.

 

Public Health Responses

Regarding the finding “that all 8 county COVID-19 deaths from May 2022 until data was last updated April 19, 2023 were vaccinated,” I asked Health Officer Dr. Allison Berry:

1. Can you confirm this information?

2. When did Public Health realize that only the vaccinated were dying of COVID-19 in this county since May 2022 until April 2023, and was this fact ever reported to the Board of Health, County Commissioners, and the public?

3. How many unvaccinated and how many vaccinated have died of COVID-19 in this county since April 19, 2023?

Berry replied to these questions as follows:

Thank you for your question. Here is the breakdown of deaths in Jefferson County by vaccination status in recent years. … Since the time when vaccinations were widely available, 48 people have died of COVID-19 in Jefferson County. From May of 2021-the end of that year, we lost 17 people to COVID-19. Of those, 12% were up-to-date on their vaccination, 59% were not up-to-date, and 29% were unvaccinated. In 2022, we lost 14 people to COVID-19. Of those, 14% were up-to-date on their vaccination, 50% were not up-to-date, and 36% were unvaccinated. In 2023, we lost 9 people to COVID-19. Of those, none were up-to-date, 56% were not up-to-date and 44% were unvaccinated. In 2024, so far we have lost 8 people to COVID-19. Of those, 25% were up-to-date, 50% were not up-to-date, and 25% were unvaccinated.

Berry’s figures for 2021 and 2022 match the Tableau numbers precisely, but do not include 3 earlier deaths from 2020 through April 2022 (which may have been reclassified or ignored because they preceded the vaccination program). Her figures also enable calculating there have been 6 unvaccinated and 9 vaccinated deaths since Public Health stopped updating Tableau on April 19, 2023, answering my first and third questions.

She did not take the opportunity to address my second question about Public Health’s failure to tell people the counter-narrative fact that only vaccinated county residents were dying of COVID-19 throughout the 12 months between May 2022 through April 2023, while always being quick to point out whenever someone unvaccinated or “not up to date” dies.

Berry included lengthy context on how she interprets these numbers, making several notable points that are off topic for this article but may be taken up in a future one (her full response can be read here).

Regarding closure of the data breach, Public Health Director Apple Martine reported that as of November 21, 10am:

Our JCPH technician worked with Tableau engineers yesterday afternoon, evening, and this morning to resolve the problem. There is no longer the possibility of accessing PHI from public.tableau.com now; these data have been removed. We expect to receive a formal accounting of how this happened from Tableau now that our incident ticket is being closed with their engineers. We will also be doing an internal after-action-review so that breach of PHI does not happen again. … The data should no longer be visible, and thank you for bringing it to our attention.  We definitely want to make sure that we’re never exposing private health information, and breaches do happen.

 

City Financial Records Are Now Also Stored in the Cloud

Joining county Public Health in the cloud, the City of Port Townsend just shut down its local on-site server-based financial system Friday, July 19, 2024 and migrated to a Tableau-integrated cloud version on Monday, July 22.

The transition had “no hiccups… so far, so good,” according to Jodi Adams, new Director of Finance and Technology Services.  Long-term plans are for Tableau to visualize data on the city website, but staff is currently learning to use it to make graphs for in-house reports.

City financial records are now stored in the cloud and managed via web browsers, including Accounts Payable & Receivable, Bank Reconciliation, Payroll, Human Resources, Employee Self Services, Utility Billing, and Project Management. Not yet included is the CivicPay option, enabling citizens to see and pay utility bills online.

Cloud migration was proposed by former Finance Director Connie Anderson and approved unanimously by city council at their February 21, 2023 meeting, but implementation took a year longer than projected.

The city had little choice — its vendor Springbrook had discontinued updates in favor of the company’s more expensive cloud version back in 2017, with support for the city’s on-site system fading and no better alternative offered by competing vendors, in line with the industry-wide push toward subscription-only cloud software replacing ownership with a rental model.

Anderson’s proposal identified a number of advantages of the cloud approach, including:

• Eliminating cost of expensive on-site equipment;
• Reducing the carbon footprint;
• Tableau integration — visual analytics platform;
• Enhanced data security protected by highest level of security available.

But any such “enhanced data security” is at best a trade-off, given that moving data to the cloud surrenders the natural physical security provided by restricting access to on-site users and those connected to the local area network.  By contrast, cloud hosting exposes city finances to worldwide security risks either via web access, hackers, “careless computing”, or insider attacks at the cloud host.

A textbook example of these risks is Jefferson County Public Health’s data breach, from which the city can hopefully learn to take care not to likewise expose its own confidential financial records to the web via the Tableau cloud platform they both share.