Indiana notifies 750,000 after COVID-19 tracing data accessed

Indiana officials at the Department of Health have notified around 750,000 residents that a company improperly accessed personal data from the state’s online COVID-19 contact tracing survey.

The agency said the state was notified on July 2 that a company gained unauthorized access to data, including names, addresses, dates of birth, emails, and gender, ethnicity and race data.

Indiana’s chief information officer (CIO) Tracy Barnes said the agency took “the security and integrity of our data very seriously.”

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” she said.

State Health Commissioner Kris Box said the risk to residents of the state was low. “We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” she said.

Indiana’s Department of Health will send letters to affected residents notifying them the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions. The Indiana Office of Technology also said it will continue its regular scans to ensure information was not transferred to another party.

Trevor Morgan, product manager at comforte AG, told ITPro our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access.

“We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information. For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses,” Morgan said.

“Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged. While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it."

Erich Kron, security awareness advocate at KnowBe4, told ITPro it appears the company accessed the data in a way that did not put it at risk of cyber criminals obtaining it.

“Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk,” he said. “Incidents such as this are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made."