Cybersecurity company denies it ‘improperly accessed’ Indiana health records

  • Comments
  • Print

A cybersecurity company is disputing the Indiana Department of Health’s announcement Tuesday that it “improperly accessed” the COVID-19 data of nearly 750,000 Hoosiers.

UpGuard Inc., founded in Australia and based in Mountain View, California, told IBJ that the state health department left the data publicly accessible on the internet, an incident the company called a “data leak.”

“We discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak,” company spokeswoman Kelly Rethmeyer wrote in an email. “We aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent.”

The data included names, addresses, email addresses, gender identification, ethnicity and race information, and dates of birth. The state said no medical information was accessed.

UpGuard also disputed the comments of Tracy Barnes, chief information officer for the state, who said in Tuesday’s announcement that the company “intentionally looks for software vulnerabilities, then reaches out to seek business.”

Rethmeyer said the company does not “look for software vulnerabilities,” which she defined as weaknesses that can be exploited  by cybercriminals to gain unauthorized access to a computer system.

“We do not exploit vulnerabilities, we help to secure data leaks and breaches,” she wrote.

UpGuard said it notified the health department of the leak, but did not solicit business to repair the leak.

On its website, UpGuard calls itself the “best platform for securing your organization’s sensitive data.”

The information was taken from the database containing the results of contact tracing, the job of tracking down people who have tested positive for COVID-19 and finding out with whom they recently have been in contact. Those people are then notified and urged to get tested.

The state last year hired an outside vendor, suburban Washington, D.C.-based Maximus Inc., to help local health departments across Indiana conduct contact tracing.

The health department said UpGuard accessed a portal that collects responses submitted by people filling out the online contact tracing survey. This portal is not used by Maximus contact tracers.

In its press release, the state health department said officials were notified of the unauthorized access on July 2.

Last week, the state and UpGuard signed a “certificate of destruction” to confirm that the data was not released to any other entity and was destroyed, the health department said.

“When the state was notified of the unauthorized access, the Indiana Office of Technology and IDOH immediately corrected a software configuration issue and requested the records that had been accessed,” the health department said in its announcement. “Those records were returned on Aug. 4.”

The health department said it will send letters to affected Hoosiers to notify them that the state will provide one year of free credit monitoring.

When informed that UpGuard disputed its characterization of the events, the department said it stood by its comments.

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.

8 thoughts on “Cybersecurity company denies it ‘improperly accessed’ Indiana health records

  1. Sounds like Indiana gots caught with its fly down and all of our junk swinging in the breeze, so UpGuard offered to repair the faulty zipper. Of course Indiana’s CIO is lashing out – they should be boxing up their desk any minute!

  2. Well, it’s a perfectly legitimate business approach to look for problems and then offer to fix them. There are ways to do that properly and ways to be shady. I don’t know the company or what they did specifically. However, if the state left the data exposed, the only party at fault is the state. If the state doesn’t like that they were informed by an external party, they don’t have to choose to do business with that vendor, but the only thing they need is a mirror if they want to place blame.

    1. Sayeth @TS: Well, it’s a perfectly legitimate business approach to look for problems and then offer to fix them.
      So if I find your house is unlocked, I can legally enter it, take things out of it, then notify you of my actions and offer to fix it for you? (I don’t need any chest-thumping about what’s going to happen to me if I try it…I’m just wanting to know if what I’m suggesting is a low-tech equivalence.)


  3. The ISDH CIO is a complete joke. I would not be surprised that he totally boffed things by thinking he is smarter than everyone else. The state CIO should really look into how poorly that division has been run over the years. Many of the local IT agencies won’t assist ISDH because this guy mistreats contractors, employees, and service providers. He hires the cheapest people he can find, expects PHD level work, brow beats everyone who doesn’t think he’s the best thing since cold water, and we get a penetration test that says he’s failed to cover the state’s assets.
    There has to be a “last ranked” for every category — I would not be surprised to learn this guy is exactly that for the entire state of Indiana (if not the midwest).

  4. Chris H., I don’t know who you’re talking about, but it’s certainly not the current ISDH CIO. The current CIO is a total professional with leadership and technical skills worth three or four times the state pays him. He remains at ISDH as a matter of integrity, to finish projects that will take another year or two to complete, because he’s promised to see them through. He commands the respect ob both his reports and his peers in the agency. A “joke”? “Mistreats”? “Brow beats”? Never, not this guy. You’re either deliberately misinformed or a sour-grapes former employee.

    1. Matthew — Far from sour grapes form employee. The state CIO is a great guy (I know Tracy well and would highly agree that he’s of integrity and professionalism).
      The ISDH CIO is a joke — promoted into the path of failure. He’s the only person in my professional career whom I’ve literally walked out of an interview on. To say he’s professional and respectful is far from what I’ve experienced, had friends and former co-workers report, and heard from my professional network. Several of the local agencies refuse to send experienced candidates to ISDH because they don’t want to poison the well with a potentially unprofessional interview for a rate that is so far below other agencies. I’ve heard so many similar stories about the ISDH CIO that my experience has been confirmed as a repeat pattern.
      95% of the state IT people are absolutely fantastic to deal with — truly class people doing the right thing for the right reason in spite of the lack of funding the state house gives them. I have no issue with them –just this one individual who has demonstrated that he is not to be trusted to work to the citizen’s benefit.

    2. Working at 30% of the pay his skills would command in the private sector because of “Integrity” LOL. Government is where incompetent people go to hide.

  5. Chris, you’re certainly entitled to your opinion, even one admittedly based on hearsay and a claimed aborted interview for an undefined job on an undefined date. My opinion, by comparison, is based on working personally, side by side with the guy for many years, including countless observations of his program-saving tech skills and professional treatment of subordinates. The hearsay from your “professional network” friends is comically wrong, and it’s ridiculous to assert that “local agencies” (which ones?) are actually “refusing” to send candidates to ISDH (again, which ones?) because they view the CIO as “poison.” Ridiculous. Anyway, I’m done here. Those who care about this thinly tangential tit-for-tat can judge for themselves who is correct, perhaps while contemplating how someone you call a “failure” firmly remains CIO at ISDH — with the approval and high regard of unquestioned professionals like Kris Box, Lindsay Weaver, and (yes) even Tracy Barnes.