In May 2021, California Gov. Gavin Newsom announced a “Vax for the Win” sweepstakes that would give away $116.5 million, with big cash prizes awarded in random drawings to dozens of lucky winners. Everyone who received a COVID vaccine was automatically entered.
“We have your information in our system,” Newsom said. The Mercury News reported that he was “referring to the millions of vaccination records in the California Public Department of Health’s confidential, digital Immunization Information System.”
The state “maintains a confidential registry of all vaccine recipients,” CalMatters reported, noting the governor’s assurance that the names of the winners would be kept confidential unless the individuals volunteered to have their information released.
But the confidentiality of the information in the state’s vaccine registry has a big loophole in it through which the confidential data is flowing to a political consulting firm called Street Level Strategy, LLC.
“I’m being stalked by the state of California,” one Los Angeles resident told me recently. “I just got a call from a guy who told me he has my file and he sees I got the Pfizer vaccine, but not a booster.” The caller identified himself as being with “Street Level Campaigns” and said they had a contract with “public health” to help people make appointments to get boosters.
Here’s how Street Level Campaigns describes itself on its website: “Street Level Campaigns, LLC (SLC) is a grassroots consulting firm specializing in community organizing, voter contact, and coalition building. Our clients include candidates, ballot measures, issue campaigns, non-profit organizations, and trade associations. SLC is an affiliate of our sister organization Street Level Strategy, LLC a national public affairs consulting firm.”
That description appears on a page listing a job opening for “Directors to lead teams of Community Organizers for political and public affairs campaigns.”
Responding to questions about the contract, the California Department of Public Health (CDPH) said this in an email: “MyTurn, the state’s vaccine appointment program launched by CDPH, shares a list of booster eligible California residents with Street Level Strategy, LLC that includes names, age, gender, ethnicity, contact information and vaccination history in order to prioritize equity, with a focus on reaching communities that have been disproportionately impacted by the COVID-19 pandemic.”
However, the person who contacted me about the phone call from Street Level Campaigns did not make an appointment through MyTurn, choosing instead to go to a walk-up vaccination site. The next day, the person received a text from the California Department of Public Health. “Hi, congratulations on getting your first dose of the COVID-19 vaccine,” it began, and then listed the type of vaccine, the lot number and the date and time it was received.
MyTurn, in other words, collected data from people who did not visit the MyTurn site and voluntarily provide it. Instead, the staff operating the walk-up vaccination site reported the data to the state. And now the state “shares” that data with Street Level Strategy, LLC.
In its emailed responses to questions, CDPH said the contract “includes terms and conditions that outline information privacy and security requirements,” and “provisions which limit the use and retention of individual’s confidential information,” and “specific information security controls Street Level Strategy must have in place to maintain and protect the security of the data.”
Let’s hope that’s enough, because the state of California has given this political consulting shop $12.7 million in contracts and access to a confidential digital registry of every California resident who has received a COVID vaccine. The contract was awarded without competitive bidding under the authority of the governor’s emergency declaration of March 4, 2020, even though work under this contract did not begin until July 16, 2021.
Who is Street Level Strategy, LLC?
The president and founder of Street Level Strategy is Pat Dennis. His profile on the company website says that before he founded the firm, he “directed grassroots operations for labor and independent expenditure committees in over 50 congressional races throughout the country and worked as an organizer for the Service Employees International Union (SEIU).”
Others on the team have resumés that include organizing and advocacy work for progressive groups and labor unions. The company markets the service of “building authentic, engaged, and active grassroots coalitions of everyday people” to “shape policy outcomes at the local, state and national levels.”
CDPH said the contract’s “Exhibit F,” titled the “HIPAA Business Associate Addendum,” contains “multiple provisions that limit and restrict retention or use of data provided to Street Level Strategy.” But shouldn’t this contract have gone to a company in the health care industry, one with experience handling confidential medical data?
In a June 2021 story headlined, “California Vaccination Records Raise Data Privacy Concerns,” the Mercury News reported that some experts had “fresh privacy concerns about Californians’ health data” as the state surpassed 50 million vaccine doses delivered.
Lee Tien, a senior staff attorney at the Electronic Freedom Foundation, noted that the California Information Practices Act and HIPAA, the federal Health Insurance Portability and Accountability Act, impose confidentiality obligations on health care providers and on state agencies, such as the California Department of Public Health, but he worried about the data security of local health agencies, where he said those laws don’t apply.
Pam Dixon, executive director of the Oregon-based World Privacy Forum, told the Mercury News that the U.S. Department of Health and Human Services had issued some emergency waivers of HIPAA penalties to enable telehealth and other services using Zoom, Skype and various cloud-based solutions, and American Civil Liberties Union legislative coordinator Becca Cramer-Mowder agreed with Dixon that the federal waivers might make it easier for patient information to seep into the hands of data brokers.
“Other legal experts, however, are less concerned,” the Mercury News reported, citing Stanford Law School professor Michelle Mello, who said California “will have no direct involvement in furnishing companies with medical data.”
But the California Department of Public Health has confirmed that the state collected the confidential health data, contact information and demographic characteristics of everyone who received a vaccine and “shares” that data with a political consulting firm that happens to be in the business of contacting Californians to organize and mobilize coalitions to “shape policy outcomes” for the firm’s paying clients.
Did you know that? Now you do.
Write [email protected] and follow her on Twitter @Susan_Shelley