IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Indiana notifies 750,000 after COVID-19 tracing data accessed

The state is following up to ensure no information was transferred to bad actors

Data Breach overlaying a circuitboard

Indiana officials at the Department of Health have notified around 750,000 residents that a company improperly accessed personal data from the state’s online COVID-19 contact tracing survey.

The agency said the state was notified on July 2 that a company gained unauthorized access to data, including names, addresses, dates of birth, emails, and gender, ethnicity and race data.

Indiana’s chief information officer (CIO) Tracy Barnes said the agency took “the security and integrity of our data very seriously.”

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” she said.

State Health Commissioner Kris Box said the risk to residents of the state was low. “We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” she said.

Indiana’s Department of Health will send letters to affected residents notifying them the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions. The Indiana Office of Technology also said it will continue its regular scans to ensure information was not transferred to another party.

Trevor Morgan, product manager at comforte AG, told ITPro our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access. 

“We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information. For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses,” Morgan said.

“Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged. While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it."

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

Erich Kron, security awareness advocate at KnowBe4, told ITPro it appears the company accessed the data in a way that did not put it at risk of cyber criminals obtaining it. 

“Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk,” he said. “Incidents such as this are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Modernise your legacy databases in the cloud
Whitepaper

Modernise your legacy databases in the cloud

10 Jun 2022
Deploying flexible data protection to support cloud workload placement
Whitepaper

Deploying flexible data protection to support cloud workload placement

10 Mar 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022