The Indiana Department of Health (IDOH) is notifying nearly 750,000 Hoosiers of a data breach involving responses collected from the state’s COVID-19 online contact tracing survey.
The state was notified of the unauthorised access on July 2 after an unnamed vulnerability-hunting company discovered a software misconfiguration that exposed data to the public.
Upon notification, the Indiana Office of Technology and IDOH immediately corrected the software configuration and re-secure the records that had been accessed.
Compromised information included names, addresses, email addresses, gender, race, ethnicity, and dates of birth.
“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Kris Box, M.D., FACOG. “We will provide appropriate protections for anyone impacted.”
The state Department of Health will send letters to affected Hoosiers to notify them of the breach, and offer them one year of free credit monitoring.
“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”