An Australian cybersecurity company improperly accessed the data of nearly 750,000 Hoosiers from the state’s COVID-19 online contact tracing survey database, the Indiana Department of Health said Tuesday.
The data included names, addresses, email addresses, gender identification, ethnicity and race information, and dates of birth. The state said no medical information was accessed.
A spokeswoman from the Indiana Department of Health identified the company as UpGuard, an information security company based in Sydney, Australia. On its website, the company calls itself the “best platform for securing your organization’s sensitive data.”
Company officials were not immediately available for comment.
The information was taken from the database containing the results of contact tracing, the job of tracking down people who have tested positive for COVID-19 and finding out with whom they recently have been in contact. Those people are then notified and urged to get tested.
The state last year hired an outside vendor, suburban Washington, D.C.-based Maximus Inc., to help local health departments across Indiana conduct contact tracing.
The state health department said UpGuard accessed a portal that collects responses submitted by people filling out the online contact tracing survey. This portal is not used by Maximus contact tracers.
In a press release, the state health department said officials were notified of the unauthorized access on July 2, but did not provide details.
Last week, the state and UpGuard signed a “certificate of destruction” to confirm that the data was not released to any other entity and was destroyed, the health department said.
“When the state was notified of the unauthorized access, the Indiana Office of Technology and IDOH immediately corrected a software configuration issue and requested the records that had been accessed,” the health department said in its announcement. “Those records were returned on Aug. 4.”
The health department said it will send letters to affected Hoosiers to notify them that the state will provide one year of free credit monitoring.
It is also partnering with Experian to open a call center to answer questions from those affected.
“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”