Indiana notifies 750,000 after COVID-19 tracing data accessed

Data Breach overlaying a circuitboard

Indiana officials at the Department of Health have notified around 750,000 residents that a company improperly accessed personal data from the state’s online COVID-19 contact tracing survey.

The agency said the state was notified on July 2 that a company gained unauthorized access to data, including names, addresses, dates of birth, emails, and gender, ethnicity and race data.

Indiana’s chief information officer (CIO) Tracy Barnes said the agency took “the security and integrity of our data very seriously.”

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” she said.

State Health Commissioner Kris Box said the risk to residents of the state was low. “We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” she said.

Indiana’s Department of Health will send letters to affected residents notifying them the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions. The Indiana Office of Technology also said it will continue its regular scans to ensure information was not transferred to another party.

Trevor Morgan, product manager at comforte AG, told ITPro our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access.

“We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information. For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses,” Morgan said.

“Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged. While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it."


The technology of trust

How to protect your most valuable commodity


Erich Kron, security awareness advocate at KnowBe4, told ITPro it appears the company accessed the data in a way that did not put it at risk of cyber criminals obtaining it.

“Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk,” he said. “Incidents such as this are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made."

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.