Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online

The personal information of 750,000 Hoosiers collected as part of a COVID-19 contact tracing survey conducted by the Indiana Department of Health has been exposed online and downloaded by a company not authorized to access the data. The survey included information such as names, addresses, dates of birth, emails, and information on gender, ethnicity and race.

The Indiana Department of Health was notified about the unauthorized access on July 2, 2021 and immediately took steps to secure the data to prevent further unauthorized access. According to Tracy Barnes, the Chief Information Officer of the state of Indiana, the company that accessed and downloaded the data was a firm “that intentionally looks for software vulnerabilities, then reaches out to seek business.”

Last week, the Indiana Department of Health obtained a signed “certificate of destruction” from the company confirming the downloaded data had been permanently destroyed and that no further copies of the data had been retained. The company also confirmed the downloaded data had not been disclosed to any other company or individual.  The Indiana Department of Health said the data were returned on August 4, 2021.

State Health Commissioner Kris Box believes the risk to state residents is minimal, especially considering the compromised data did not include highly sensitive information such as health data, health insurance information, Social Security numbers, or financial information.

An investigation was launched into the incident, and it was determined that the reason the data had been exposed was due to a software configuration issue, which left the data exposed to the Internet. Currently it is unclear if any individuals other than those at the cybersecurity company downloaded the records while they were exposed over the Internet.

“We take the security and integrity of our data very seriously,” said Barnes. “We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.” Indiana’s Office of Technology will conduct scans regularly to ensure that the downloaded data is not transferred to third parties.

Notification letters are being sent to affected individuals to make them aware of the privacy breach, and the state said it will be offering a 12-month membership to a credit monitoring service provided by Experian to individuals affected by the breach.

The Indiana Department of Health did not name the company concerned, but HIPAA Journal has learned the company is UpGuard, a firm that regularly scans the Internet for misconfigured cloud services to identify sensitive exposed data. The company is proactive in searching for security vulnerabilities and exposed data and has identified many cases where sensitive data have been left unprotected. In all cases, the company alerts the entities concerned to ensure data are secured to prevent sensitive information falling into the hands of cybercriminals.

“Our team sent a note to the state of Indiana to notify them that they had an API that was configured for public access. Upon looking at the data, we determined that the information was sensitive and that it should not be public,” said UpGuard spokeswoman, Kelly Rethmeyer.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.