Unusual Start for Portland’s COVID-19 Site Leads to Lack of Privacy, Security Measures

This is original XRAY.fm reporting. Listen to the audio version of this story above.

Here’s what you’ll learn from this story:
– A Portland COVID-19 screening website was rushed under pandemic pressure, did not go through appropriate data privacy and security assessments, and was not properly coordinated with other agencies.
– Despite rushing the project, a necessary awareness effort was not rushed. As a result few people in Multnomah County have used the site. However, local officials have considered using information from the site to track COVID-19 infection risk levels in certain areas or make decisions about distribution of resources.
– The site is not operated by the government, but rather by a corporate firm with no ties locally.
– This is an example of local and national governments implementing tech in panic mode which can lead to unintended and negative consequences.

A new COVID-19 infection screening website for Multnomah and surrounding counties was launched by Portland Fire and Rescue to prevent emergency room chaos and 911 call surges during the crisis. Emergency and public health staff hope to use data from the tool to inform decisions about triage and testing.

However, although still in its early stages, the system has significant data gaps. And amid an unusual process to get the tool set up, some evaluation protocols for data use, privacy and security were overlooked. The rushed process leaves questions about how information gleaned through the website is stored, who can access it and whether it should be used to inform government decisions about resource distribution in response to the pandemic. The project is an example of local and national governments implementing tech in panic mode which can lead to unintended and negative consequences.

Lieutenant Rich Chatman, Portland Fire and Rescue’s public information officer wanted to ensure only those at high risk of infection show up at the ER, especially if there’s a surge of possible COVID-19 patients.

“I’ve worked triage many, many times, and I’ve seen what real bad looks like and it’s real, real bad,” Chatman said.

A View of the C19Oregon.com Website

He and other emergency services staff rushed to set up c19Oregon.com, an infection screening tool. Site visitors enter their age and zip code and check off boxes for symptoms they’re experiencing such as fever, sore throat or shortness of breath. Depending on the information they provide, the system might ask about preexisting conditions such as diabetes or sickle cell disease.

Then it spits out a conclusion, categorizing site visitors at low, medium or high risk of COVID-19 infection – or at no risk at all. Only those the system deems high-risk are told to seek medical care immediately.

This site is not hosted by local or state government. In fact, it’s not an Oregon state effort at all. Rather, the site was built and is hosted by health tech corporation Vital. It’s a repurposed version of c19check.com, a near-identical COVID-19 screening site built by the company for Atlanta’s Emory University.

Vital is an artificial intelligence company; however, both COVID-19 screening sites use a relatively simple system that does not employ AI or machine learning to decide infection risk levels (take a look at the flow chart here). The system actually uses an altered version of a risk assessment developed by medical researchers for the swine flu pandemic of 2009.

Portland is paying Vital, which has developers in New Zealand and Atlanta, a $3,300 per-month subscription to operate c19Oregon.com. The site was customized for local use. However, that localization appears to come mainly in the form of a list of area hospitals presented to people deemed high-risk.

System Could Inform County COVID-19 Test Distribution

Municipalities across the globe are scrambling to get information that can help them understand the COVID-19 pandemic and respond with speed and efficiency.

Though primarily intended to screen out people at low-risk of infection, the website effort here does serve as a source of new data, too. It collects information on age, zip code, symptoms and preexisting medical conditions. For now, it doesn’t gather any identifiable information like names, phone numbers or medical records. However, there are discussions about using the site to connect users to triage nurses, which would require users to provide emails or phone numbers. And it’s worth noting Vital drew scrutiny for a privacy policy that until recently would have allowed sale of data for advertising and other uses.

“It helps us identify the neighborhoods so we can go out and do community intervention to decrease COVID-19 within that population.”
– Dr. Jon Jui, Multnomah County’s EMS Medical director

When combined with other emergency and public health data the information gathered through the site reveals clues about infection risk patterns and hot-spots. It might be used to determine whether to target testing to specific neighborhoods, for example.

“It helps us identify the neighborhoods so we can go out and do community intervention to decrease COVID-19 within that population,” said Dr. Jon Jui, Multnomah County’s EMS Medical director, who helped get the project off the ground.

Data Gaps and an Incomplete Privacy Process

But for now, there are significant gaps in the data. In some areas of the county, no one has used the site, which went online on March 20. As of April 19, only around one percent of the county’s 812,000-some residents had visited it in total. The biggest spike in visits came on April 10, around the same time a press announcement and an Oregonian story about it ran.

But it’s not just lack of awareness or a lack of COVID-19 related symptoms among residents here that might be spurring limited use of the tool. The largest group of people who used the site were labeled as “no risk” after screening. While 1,075 were categorized as high risk, 2,495 were considered to be at no risk by the system.

Chart shows COVID-19 infection risk levels of people in Multnomah County zip codes who used C19Oregon.com as of April 19, 2020

Portland Fire and Rescue’s principal management analyst Robyn Burek said the information gathered from the screening site is just one piece of a larger puzzle. “It may not be a perfect picture across the city as much as we would like it to be but when we start adding other pieces to it I think it will begin to add some value to all of it and we’ll hopefully get a fuller story of what’s happening,” she said.

A promotional and community outreach campaign in multiple languages is in the works which should raise awareness of c19oregon.com.

Unusual Origins and a “Tech Wizard” Friend

Rushing the project under pandemic pressure meant standard protocol for technology procurement did not happen. In fact, the system was not selected by Portland technology staff at all. Instead, a tech entrepreneur friend of Chatman’s, Benjamin Diggles, played an instrumental role in discovering and selecting the tool as well as communicating the city’s needs to Vital.

“I reached out to a tech wizard friend of mine, who solves problems like this, like, for fun,” said Chatman. “I was like, what’s out there Ben? What can technology do that can help the situation out?”

Diggles is co-founder of Constellation Network, a blockchain technology firm that serves military clients. The company secures defense industry data, such as information from US Air Force drones. Diggles has no official role in local government nor does he have public health experience. He told XRAY he has not charged the city for his work on the project.

Some local public health officials did assess the system. But important evaluations often used for vetting government technology were ignored completely.

“We didn’t have an in-depth review on the potential for the data to be hacked, but there wasn’t much concern about the information being collected because it doesn’t identify people.”
– Dan Douthit, Portland Bureau of Emergency Management

For instance, the back-end decision-making process used by the website was not assessed for data privacy or security measures called for in Portland’s privacy resolution passed last year. It’s also worth noting c19Oregon.com is a corporate website that is not hosted on government servers.

“We didn’t have an in-depth review on the potential for the data to be hacked, but there wasn’t much concern about the information being collected because it doesn’t identify people,” said Dan Douthit, public information officer for the Portland Bureau of Emergency Management and Bureau of Emergency Communications. Douthit said he was aware of the Emory University site before it was brought to Chatman’s attention by Diggles.

Because the city is in crisis mode, the project was run through emergency protocols.

“We’re actually using systems now that we employ only during the highest-level emergencies,” said Chatman. “Without a pandemic bearing down on us, we would certainly take a more methodical and planned-out process. When we’re looking at the possibility of becoming something like New York City, then we don’t go through those processes. We get the job done.”

But moving swiftly without engaging some of the city’s key technology staff leaves lots of questions about how the website’s data is secured and stored, who has access to it, how it might be used or whether it could be connected with identifiable information in the future.