Indiana says cybersecurity company 'improperly accessed' COVID-19 data

The state health department said it was notifying almost 750,000 Indiana residents that the information had been breached.
By Kat Jercich
02:52 PM

Photo: "Welcome to Indiana"formulanone / Flickr, licensed under CC BY-SA 2.0

The Indiana Department of Health said this week that it was notifying almost 750,000 Hoosiers after a company "improperly accessed" the data from the state's COVID-19 online contact tracing survey.  

But the company in question, the cybersecurity vendor UpGuard, told the Associated Press' Rick Callahan that it had actually discovered the data was publicly accessible on the internet and had notified the health department about it.  

"This is known as a data leak," UpGuard spokesperson Kelly Rethmeyer said in a statement sent to Callahan. "It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user."  

UpGuard has deleted all the data in its possession, said Rethmeyer.  

UpGuard and IDH did not respond to Healthcare IT News' requests for comment by press time.  

WHY IT MATTERS  

IDH said it learned on July 2 that a company had accessed the data from the state's online COVID-19 contact tracing survey. The data included names, addresses, dates of birth, emails, gender, ethnicity and race.   

But UpGuard representatives told Callahan that it had not "improperly accessed" the data.  

Rather, said Rethmeyer, the company "aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent."  

Indiana officials said that UpGuard had signed a so-called certificate of destruction to confirm it had destroyed the data and not shared it with any other entity.   

The records were returned on Aug. 4.  

"We take the security and integrity of our data very seriously," said Tracy Barnes, chief information officer for the state, in a statement provided to local news site WTHR. "The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business."

"We have corrected the software configuration and will aggressively follow up to ensure no records were transferred," Barnes added.  

THE LARGER TREND  

Although the exact situation with IDH remains unclear, it wouldn't be the first time COVID-19-related data accidentally went public.   

In May of this year, a Wyoming Department of Health employee mistakenly uploaded COVID-19, influenza and blood alcohol test results for more than a quarter of the state's population to a public-facing website.  

Two months prior, a state of California employee improperly accessed more than 2,000 employee and patient records from Atascadero State Hospital that had been necessary for tracking COVID-19.  

ON THE RECORD  

Regarding the Indiana incident, "in this case, the data that was accessed appears to have been done so in a way that did not put it at risk of cyber criminals obtaining it," said Erich Kron, security awareness advocate at the training vendor KnowBe4, in a statement.   

"Unfortunately, 'software configuration' errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk," Kron said.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.