Hundreds of thousands of Indiana residents are being notified of a data breach involving responses collected via the Hoosier State's COVID-19 online contact tracing survey.
A software misconfiguration that left information exposed to the public was discovered by an unnamed vulnerability-hunting company. The company informed state officials of the breach on July 2 after they were able to access and download the data.
The breach was announced by state health officials on Tuesday. Information that was compromised in the incident included names, addresses, email addresses, gender, race, ethnicity, and dates of birth.
The Indiana Office of Technology and the Indiana Department of Health (IDOH) said immediate steps were taken to correct the misconfiguration and re-secure the records that had been accessed.
“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state, in a statement.
“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”
The company that discovered the breach returned the sensitive data on August 4 and signed a certificate of destruction to confirm that the information had been permanently deleted.
State health commissioner Dr. Kris Box said they believe the impact of the data breach will be minimal owing to the nature of the information that was accessed.
"We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained," said Dr. Box.
"We will provide appropriate protections for anyone impacted."
Affected Indiana residents will receive data breach notification letters and will be provided with one year of free credit monitoring. The state is partnering with credit monitoring company Experian to set up a call center that will serve victims of the data breach.
Nearly 750,000 residents have been impacted by the data breach. The Indiana Office of Technology said it will use scanning techniques to ensure that the compromised information was not passed to any additional parties.