State details unauthorized access of contact tracing data

INDIANAPOLIS (Inside INdiana Business) — The Indiana State Department of Health says it is notifying nearly 750,000 Hoosiers of a data breach from the state’s COVID-19 online contact tracing survey. The state says it was notified last month of unauthorized access of the data, which did not include medical information.

The data that was accessed includes name, address, email, gender, ethnicity and race and date of birth.

The ISDH says the state and the company that accessed the data signed a “certificate of destruction,” which says the data was not released to another entity and was destroyed by the company. The name of the company was not disclosed.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” State Health Commissioner Dr. Kris Box said in a news release. “We will provide appropriate protections for anyone impacted.”

The ISDH says when it was notified of the unauthorized access, it and the Indiana Office of Technology corrected a software configuration issue and requested the records that had been accessed, which were returned on Aug. 4.

“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”

The ISDH says it will send letters to the affected Hoosiers to notify them that the state will provide one year of free credit monitoring. The state is also partnering with Experian to open a call center to answer questions.