Indiana Health Officials Notify ~750k Hoosiers About COVID-19 Contract Tracing Data Leak

Aug. 19, 2021

Approximately 750,000 residents of Indiana were informed their data was “improperly accessed”—UpGuard spokeswoman calls it a data leak

Janette Wider

On Aug. 17, the Indiana Department of Health (IDOH) issued a statement notifying approximately 750,000 residents that data from the state’s online COVID-19 contact tracing service had been “improperly accessed.” The statement from IDOH stated that “The data included name, address, email, gender, ethnicity and race, and date of birth.”

Further, “The state was notified of the unauthorized access on July 2. Last week, the state and the company that accessed the data signed a ‘certificate of destruction’ to confirm that the data was not released to any other entity and was destroyed by the company. When the state was notified of the unauthorized access, the Indiana Office of Technology and IDOH immediately corrected a software configuration issue and requested the records that had been accessed. Those records were returned on Aug. 4.”

State Health Commissioner Kris Box, M.D is quoted in the statement saying that “We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained. We will provide appropriate protections for anyone impacted.”

Additionally, “The state Department of Health will send letters to affected Hoosiers to notify them that the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions from those impacted. In addition, the Indiana Office of Technology will continue its regular scans to ensure information was not transferred to another party.”

According to an Aug. 17 article from The Associated Press by Rick Callahan, agency spokeswoman for IDOH, Megan Wade-Taxter, said that “The company [that state officials did not disclose in their release] was UpGuard, a cybersecurity company based in Mountain View, Calif. UpGuard spokeswoman Kelly Rethmeyer said in statement Tuesday that Indiana’s news release describing the data access incident includes ‘many falsehoods.’”

Callahan wrote that “‘For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet. This is known as a data leak,” she [Rethmeyer] said. ‘It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user.’”

Further, “Rethmeyer added that UpGuard ‘discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak.’ She added that the company ‘aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent.’”