INDIANAPOLIS — The Indiana Department of Health announced contact tracing data from nearly 750,000 people was improperly accessed.
The data accessed from the online COVID-19 contact tracing survey included names, addresses, emails, genders, ethnicity and races and dates of birth, according to a press release from IDOH.
On July 2, the state was notified of the unauthorized access and the company that accessed the data signed a certificate of destruction last week. The certificate confirms the data was not released to any other entity and was destroyed.
Once notified of the unauthorized access, IDOH and the Indiana Office of Technology corrected a software configuration issue and requested the records that were accessed, according to the release. The records were returned on Aug. 4.
IDOH Commissioner Dr. Kris Box said they believe the risk to Hoosiers who had their information accessed is low and Social Security information is not collected as a part of the contact tracing program.
IDOH is sending letters to affected Hoosiers and is providing one year of free credit monitoring, opening a call center with Experian to answer questions and the Indiana Office of Technology will continue its regular scans to ensure the data was transferred to another party.
“We take the security and integrity of our data very seriously,” Tracy Barnes, Indiana's chief information officer, said in the release. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”