IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Indiana notifies 750,000 after COVID-19 tracing data accessed

The state is following up to ensure no information was transferred to bad actors

Data Breach overlaying a circuitboard

Indiana officials at the Department of Health have notified around 750,000 residents that a company improperly accessed personal data from the state’s online COVID-19 contact tracing survey.

The agency said the state was notified on July 2 that a company gained unauthorized access to data, including names, addresses, dates of birth, emails, and gender, ethnicity and race data.

Indiana’s chief information officer (CIO) Tracy Barnes said the agency took “the security and integrity of our data very seriously.”

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” she said.

State Health Commissioner Kris Box said the risk to residents of the state was low. “We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” she said.

Indiana’s Department of Health will send letters to affected residents notifying them the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions. The Indiana Office of Technology also said it will continue its regular scans to ensure information was not transferred to another party.

Trevor Morgan, product manager at comforte AG, told ITPro our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access. 

“We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information. For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses,” Morgan said.

“Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged. While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it."

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

Erich Kron, security awareness advocate at KnowBe4, told ITPro it appears the company accessed the data in a way that did not put it at risk of cyber criminals obtaining it. 

“Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk,” he said. “Incidents such as this are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Deploying flexible data protection to support cloud workload placement
Whitepaper

Deploying flexible data protection to support cloud workload placement

10 Mar 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022