WANAN YOSSINGKUM/istock via Gett
COVID-19 Contact Tracing Surveys Subject of Health Data Breach
The health department is notifying residents of a data breach involving PHI.
The Indiana Department of Health (IDOH) began notifying residents of a health data breach that involved the state’s online COVID-19 contact tracing survey.
According to a press release published on August 17, the IDOH is notifying 750,000 residents that data from the online contact tracing survey was improperly accessed.
The breached data includes individuals’ names, addresses, email addresses, genders, race and ethnicities, and dates of birth, according to the release.
On July 2, the state of Indiana was notified of the breach, the statement notes.
“Last week, the state and the company that accessed the data signed a “certificate of destruction” to confirm that the data was not released to any other entity and was destroyed by the company,” the press release states.
“When the state was notified of the unauthorized access, the Indiana Office of Technology and IDOH immediately corrected a software configuration issue and requested the records that had been accessed,” it states. “Those records were returned on Aug. 4.”
State Health Commissioner Kris Box, MD, says in the press release that the risk to impacted residents is low.
“We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” Box states. “We will provide appropriate protections for anyone impacted.”
The Indiana Department of Health is sending letters to all the individuals impacted by the data breach and will also provide free credit monitoring.
The state is partnering with Experian to offer one year of credit monitoring services and establish a call center.
“In addition, the Indiana Office of Technology will continue its regular scans to ensure information was not transferred to another party,” the release notes.
Tracy Barnes, chief information officer for the State of Indiana, says in the release that the state takes the “security and integrity of our data very seriously.”
“The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business,” Barnes states. “We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”