The personal information of 750,000 Hoosiers compiled during a COVID-19 contact tracing survey done by the Indiana Department of Health was compromised on the web and downloaded by a firm not approved to gain access to the data. The survey contained details for instance names, birth dates, emails, addresses and data on gender, race, and ethnicity.
The Indiana Department of Health was advised regarding the unauthorized information access on July 2, 2021 and promptly took action to safeguard the data to stop continuing unauthorized access. As per Tracy Barnes, the Chief Information Officer of Indiana, the firm that accessed and acquired the information was a company that purposefully searches for software vulnerabilities, then tries to seek business.
Recently, the Indiana Department of Health gathered a signed “certificate of destruction” from the firm confirming the downloaded data was entirely deleted and that no other copies of the data files were held on to. The company likewise affirmed the downloaded information was not exposed to any other organization or individual. The Indiana Department of Health explained the data were given back on August 4, 2021.
State Health Commissioner Kris Box thinks the threat to state citizens is little, particularly taking into consideration the compromised information didn’t consist of highly sensitive data for example health records, medical insurance data, Social Security numbers, or financial details.
According to the investigation results, the cause of the data exposure was a software setting problem, which left the data accessible to the Internet. At this time it is not clear if any person apart from those at the cybersecurity firm downloaded the information while they were open online.
Barnes expressed that the Indiana Department of Health considers the security and confidentiality of information rather seriously. The software setting has been fixed and there will be an intense follow-up to make certain that no records were copied. Indiana’s Office of Technology will perform scans continually to make sure that the downloaded information is not copied to third parties.
Notification letters are being provided to affected people to inform them of the privacy violation, and the state explained it will be giving a 12-month membership to a credit monitoring service given by Experian to persons impacted by the breach.
The Indiana Department of Health failed to name the organization involved, however, certain information says it is UpGuard, an organization that repeatedly monitors the Internet for misconfigured cloud services to determine sensitive exposed data. The firm is proactive in seeking security vulnerabilities and exposed records and has found numerous cases where sensitive information was left exposed. In all instances, the company warns the entities involved to make certain information is kept secure to avert the falling of sensitive data into the possession of threat actors.
According to UpGuard spokeswoman, Kelly Rethmeyer, its team provided a note to the state of Indiana to alert them about an API that was set for public access. Upon taking a look at the records, it was established that the data was sensitive and that it should never be open to the public.