Indiana notifying 750K after COVID-19 tracing data accessed
INDIANAPOLIS (AP) — Indiana health officials said Tuesday they are notifying nearly 750,000 state residents that a cybersecurity company “improperly accessed” their personal data from the state’s online COVID-19 contact tracing survey — a description the company disputed as a “falsehood.”
The Indiana Department of Health said the state was notified July 2 that a company gained “unauthorized access” to data, including names, addresses, dates of birth, emails, and data on gender, ethnicity and race.
The nearly 750,000 people whose data was accessed represent all of the state’s participants in its online COVID-19 contact tracing survey, said agency spokeswoman Megan Wade-Taxter.
State Health Commissioner Kris Box said the state health department does not collect Social Security information for its COVID-19 contact tracing program, and no medical information was obtained.
“We believe the risk to Hoosiers whose information was accessed is low,” Box said in a news release.
State officials did not identify the company involved in their news release, but Wade-Taxter said the company was UpGuard, a cybersecurity company based in Mountain View, California.
UpGuard spokeswoman Kelly Rethmeyer said in statement Tuesday that Indiana’s news release describing the data access incident includes “many falsehoods.”
“For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet. This is known as a data leak,” she said. “It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user.”
Rethmeyer added that UpGuard “discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak.”
She added that the company “aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent.”
A message seeking comment on UpGuard’s statement was left Tuesday afternoon with Indiana’s health department.
Indiana officials said in their news release that UpGuard signed a “certificate of destruction” last week with the state to confirm that it had destroyed the data and not released it to any other entity.
Rethmeyer said that UpGuard has deleted “all the data in our possession.”
The Indiana Office of Technology and the state health department added that they have corrected a “software configuration issue” involved in the data access incident. Both departments also requested the accessed records, and those were returned Aug. 4, according to the news release.
“We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” said Tracy Barnes, Indiana’s chief information officer.
Rethmeyer questioned the state’s description of the software issue, saying that “the `Configuration issue’ is that every record was made to be publicly accessible.”
Indiana’s health department said it will send letters to affected Hoosiers notifying them that the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions from those affected.
The Indiana Office of Technology said it will also continue regular scans to ensure that the information was not transferred to another party.