Indiana notifies 750,000 after COVID-19 tracing data accessed

The state is following up to ensure no information was transferred to bad actors

Data Breach overlaying a circuitboard

Indiana officials at the Department of Health have notified around 750,000 residents that a company improperly accessed personal data from the state’s online COVID-19 contact tracing survey.

The agency said the state was notified on July 2 that a company gained unauthorized access to data, including names, addresses, dates of birth, emails, and gender, ethnicity and race data.

Indiana’s chief information officer (CIO) Tracy Barnes said the agency took “the security and integrity of our data very seriously.”

“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred,” she said.

State Health Commissioner Kris Box said the risk to residents of the state was low. “We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” she said.

Indiana’s Department of Health will send letters to affected residents notifying them the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions. The Indiana Office of Technology also said it will continue its regular scans to ensure information was not transferred to another party.

Trevor Morgan, product manager at comforte AG, told ITPro our personal information, especially when wrapped in the context of our health records, is not something we want unauthorized people or companies to access. 

“We place our faith in the assumption that agencies and other organizations which collect and process that data also put forward the strongest effort to guard that information. For any company like this which processes PII or PHI, data-centric security can add another, more appropriate safeguard against unauthorized access alongside more traditional perimeter-based defenses,” Morgan said.

“Methods like tokenization replace sensitive data elements with representational tokens, so even if it falls into the wrong hands the sensitive information is indecipherable and cannot be leveraged. While this incident could have been worse, we’d all feel better knowing that our sensitive personal information could never be compromised, no matter who gets their hands on it."

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

Erich Kron, security awareness advocate at KnowBe4, told ITPro it appears the company accessed the data in a way that did not put it at risk of cyber criminals obtaining it. 

“Unfortunately, ‘software configuration’ errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk,” he said. “Incidents such as this are learning opportunities for any organization that handles sensitive data. It also drives home the need for constant security testing and for ensuring processes are in place to help protect data, especially when configuration changes are being made."

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021