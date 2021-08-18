INDIANAPOLIS – A cybersecurity company accessed nearly 750,000 Hoosiers' contact tracing data, the state reported Tuesday.

The data included names, addresses, emails, genders, ethnicities and races, and dates of birth.

But the company – UpGuard Inc. – disputed that it did anything “improper” as alleged by state officials.

“The data was left publicly accessible on the internet. This is known as a data leak. It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user,” said Kelly Rethmeyer, spokeswoman for the company.

“We discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak. We aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent.”

The state learned of the breach July 2, but the Indiana Department of Health only made it public this week. A news release said the state and the company that accessed the data signed a “certificate of destruction” last week to confirm the data was not released to any other entity and was destroyed by the company.

After being notified of the unauthorized access, the Indiana Office of Technology and state health agency immediately corrected a software configuration issue and requested the records that had been accessed, a news release said. Those records were returned Aug. 4.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Dr. Kris Box. “We will provide appropriate protections for anyone impacted.”

The Indiana Department of Health will send letters to affected Hoosiers to notify them that the state will provide one year of free credit monitoring and is partnering with Experian to open a call center to answer questions from those impacted. In addition, the Indiana Office of Technology will continue its regular scans to ensure information was not transferred to another party.

“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for the state. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”

Rethmeyer denied this allegation, saying the company doesn't look for software vulnerabilities to exploit.

Rethmeyer also included template language from the email sent to the state that said, “This message is not a sales pitch or solicitation. I have no demands for you. I do not expect or require any form of compensation or business in exchange for this notification.”

The Indiana Department of Health said, “We stand by our statements in our release.”

