Security vendor says its access of Indiana COVID-19 data was not ‘unauthorized’
The personal information of about 750,000 Indiana residents was recently accessed by an “unauthorized” party that was able to get into a COVID-19 contact-tracing database, state officials said Tuesday.
The state was notified July 2 that the database — which includes names, addresses, dates of birth, email addresses, genders and ethnicities — had been accessed earlier this year by an outside company. In a press release, Indiana Chief Information Officer Tracy Barnes attributed the activity to a firm that looks for weak points in websites and networks.
“We take the security and integrity of our data very seriously,” Barnes said. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business.”
An Indiana official told StateScoop that the company, without authorization, took all possible data and held onto it for several weeks before notifying the state government in an attempt to generate business for itself. While the state’s press release did not name the company, it has been identified as UpGuard, a cybersecurity vendor.
The Indiana Office of Technology said the software configuration that led to the database access was corrected “immediately” after the July 2 notification. Officials also said UpGuard signed a “certificate of destruction” agreement last week confirming that the data was not shared with any other entity before it deleted its copies on Aug. 4.
According to the Indiana Department of Health, which runs the state’s coronavirus response, including contact tracing, the database did not include any Social Security numbers or medical information. But the department is still sending letters to the residents whose information was accessed and offering one year of free credit monitoring.
“We believe the risk to Hoosiers whose information was accessed is low,” Kris Box, the state health commissioner, said in the press release.
But UpGuard disputed Indiana officials’ description of its activities, with a company spokeswoman telling StateScoop that it discovered the data leak in the course of researching software vulnerabilities, and notified the state on July 2.
“We were trying to help them,” said the spokeswoman, Kelly Rethmeyer. “Our team sent a note to the state of Indiana to notify them that they had an API that was configured for public access. Upon looking at the data, we determined that the information was sensitive and that it should not be public.”
Rethmeyer also told StateScoop that UpGuard’s overture to Indiana officials was not meant as a solicitation. A portion of the original message sent by Greg Pollock, the company’s vice president of cyber product research, states that he did “not expect or require any form of compensation or business in exchange for this notification.”
She also said it was UpGuard that requested the certificate of destruction to confirm that it had discarded the COVID-19 data.
Indiana is not the only state to experience a breach of coronavirus-related information. In April, Wyoming officials acknowledged that a state health employee unintentionally published to GitHub dozens of files containing the information of residents who had be tested for COVID-19 and influenza. That incident, which included data on more than one-quarter of Wyoming’s population, led to the resignations in May of state CIO Gordon Knopp and Department of Health Director Mike Ceballos.