Data breach of Oklahoma City Police results in rape kit information being exposed..about as bad as it gets
February 23, 2022 |
It has long been the practice of authorities to provide maximum privacy to complainants in sexual assault and rape cases. In Australia and most overseas common law jurisdictions reporting of rape cases does not identify the victim. The report that data from rape kits of victims who alleged they were sexually assaulted are the subject of a data breach is devastating to those individuals. It also undermines the confidence in the police procedure. It may also prejudice the prosecution of cases where that data is a crucial piece of evidence.
What is more than passing strange is that the data breach took place on 18 November 2021 but details of that breach were only provided this week. The handling of the breach has been dreadful with the the Police Department stating that “certain sensitive personal and health-related information” may have been compromised. DNA Solutions took a different tack stating “The data did not include social security numbers, driver’s license information, or financial information. We have notified individuals or organizations whose data may have been impacted directly.” DNA Solutions stated what was not included in the data taken or exposed but does not say whether personal information was taken. That is a non answer answer.
There have been some very significant data breaches involving DNA data. On 29 November 2021 DNA Diagnostics Center Inc in Maine USA notified the Attorney General that there had been a data breach, from 24 May until 28 July 2021, which affected 2,102,436 people. In July 2019 it was reported that a DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years with more than 3,000 user files remaining accessible to the public on Amazon Web Services cloud-computer servers until 1 July 2019. The reports included genealogy reports which included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions. Back in 2017 Ancestry.com had a huge, by those standards, data breach involving 300,000 credentials exposed.
The article related to the Oklahoma breach provides:
OKLAHOMA CITY (Free Press) — Victims of past sexual assault who had their DNA collected in a rape kit by the Oklahoma City Police Department now face yet more uncertainty because of a data breach.
Rape kits are used to collect DNA evidence by law enforcement agencies for sexual assault investigations.
Saturday, those who had their DNA information stored by a contractor for OKCPD in connection to sexual assault investigations were informed by a U.S. Post Office letter of the breach.
The contractor is DNA Solutions, Inc., a DNA research company located in Oklahoma City.
The company’s website touts their location in the “prestigious University Research Park Campus in Oklahoma City.”
“DNA Solutions is equipped to process a high volume of samples daily which gives our clients rapid turnaround at affordable prices,” reads the company’s About website page.
The extent of the breach is suggested by the range of DNA research they provide, “…including paternity and forensic testing in humans and sire confirmation, genotype registries, DNA banking and forensic identification in animals.”
Victimized again
One individual who was the victim of a sexual assault within the last five years and had their DNA collected in a rape kit by OKCPD contacted Free Press late Saturday because they had received a letter from the department that morning.
“I just think it’s ridiculous,” said the individual who sent us a photo of the letter. They did not want us to reveal their name.
“It’s really, really disappointing,” they said.
And, especially since it involved an organization that they want to trust, “it’s frustrating.”
To have had what happened to them four or five years ago and then to have the information “leaked” was “awful,” they told us.
The letter
“You are receiving this letter because at one point in the past, your personal information was obtained by the Oklahoma City Police Department as part of a criminal investigation,” the first line of the letter read.
“This personal information was contained on reports associated with physical evidence that was sent to DNA Solutions, Inc. for DNA testing.”
The form letter alerts the recipients that the contractor’s “electronic database experienced a network security breach” that “could include” their personal information.
The letter said that their information was “potentially compromised by an unauthorized third party” and may include their “last name, address, and health-related information.”
As is common with data breaches, DNA Solutions is offering free identity theft protection along with free credit monitoring.
The letter reads that the breach “did not occur to, involve, or affect the City of Oklahoma City or the Oklahoma City Police Department.”
No statements
A call to DNA Solutions outside their regular work hours Saturday evening only yielded a recorded message and voicemail. We left a detailed message requesting a return call.
An OKCPD public information officer told Free Press that he did not know enough at that point to answer questions and would answer questions Monday.