Indiana notifying 750K after COVID-19 tracing data accessed

health information
Credit: Pixabay/CC0 Public Domain

Indiana health officials said Tuesday they are notifying nearly 750,000 state residents that a cybersecurity company "improperly accessed" their personal data from the state's online COVID-19 contact tracing survey—a description the company disputed as a "falsehood."

The Indiana Department of Health said the state was notified July 2 that a gained "unauthorized access" to data, including names, addresses, dates of birth, emails, and data on gender, ethnicity and race.

The nearly 750,000 people whose data was accessed represent all of the state's participants in its online COVID-19 contact tracing survey, said agency spokeswoman Megan Wade-Taxter.

State Health Commissioner Kris Box said the state department does not collect Social Security information for its COVID-19 contact tracing program, and no was obtained.

"We believe the risk to Hoosiers whose information was accessed is low," Box said in a news release.

State officials did not identify the company involved in their news release, but Wade-Taxter said the company was UpGuard, a cybersecurity company based in Mountain View, California.

UpGuard spokeswoman Kelly Rethmeyer said in statement Tuesday that Indiana's news release describing the data access incident includes "many falsehoods."

"For one, our company did not `improperly access' the data. The data was left publicly accessible on the internet. This is known as a data leak," she said. "It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user."

Rethmeyer added that UpGuard "discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak."

She added that the company "aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent."

A message seeking comment on UpGuard's statement was left Tuesday afternoon with Indiana's health department.

Indiana officials said in their news release that UpGuard signed a "certificate of destruction" last week with the state to confirm that it had destroyed the data and not released it to any other entity.

Rethmeyer said that UpGuard has deleted "all the data in our possession."

The Indiana Office of Technology and the state health department added that they have corrected a "software configuration issue" involved in the data access incident. Both departments also requested the accessed records, and those were returned Aug. 4, according to the news release.

"We have corrected the software configuration and will aggressively follow up to ensure no records were transferred," said Tracy Barnes, Indiana's chief information officer.

Rethmeyer questioned the state's description of the software issue, saying that "the `Configuration issue' is that every record was made to be publicly accessible."

Indiana's health department said it will send letters to affected Hoosiers notifying them that the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions from those affected.

The Indiana Office of Technology said it will also continue regular scans to ensure that the was not transferred to another party.

Explore further

Data firm working for Trump exposed 198 mn voter files: researchers

© 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.

Citation: Indiana notifying 750K after COVID-19 tracing data accessed (2021, August 18) retrieved 7 August 2022 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors