A cybersecurity company is disputing the Indiana Department of Health’s announcement Tuesday that it “improperly accessed” the COVID-19 data of nearly 750,000 Hoosiers.
UpGuard Inc., founded in Australia and based in Mountain View, California, told the Indianapolis Business Journal that the state health department left the data publicly accessible on the internet, an incident the company called a “data leak.”
“We discovered this leaked information in the course of our research and notified the Indiana Department of Health since they were unaware of the leak,” company spokeswoman Kelly Rethmeyer wrote in an email. “We aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent.”
The data included names, addresses, email addresses, gender identification, ethnicity and race information, and dates of birth. The state said no medical information was accessed.
UpGuard also disputed the comments of Tracy Barnes, chief information officer for the state, who said in Tuesday’s announcement that the company “intentionally looks for software vulnerabilities, then reaches out to seek business.”
Rethmeyer said the company does not “look for software vulnerabilities,” which she defined as weaknesses that can be exploited by cybercriminals to gain unauthorized access to a computer system.
“We do not exploit vulnerabilities, we help to secure data leaks and breaches,” she wrote.
UpGuard said it notified the health department of the leak but did not solicit business to repair the leak.
On its website, UpGuard calls itself the “best platform for securing your organization’s sensitive data.”
The information was taken from the database containing the results of contact tracing, the job of tracking down people who have tested positive for COVID-19 and finding out with whom they recently have been in contact. Those people are then notified and urged to get tested.
The state last year hired an outside vendor, suburban Washington, D.C.-based Maximus Inc., to help local health departments across Indiana conduct contact tracing.
The health department said UpGuard accessed a portal that collects responses submitted by people filling out the online contact tracing survey. This portal is not used by Maximus contact tracers.
In its press release, the state health department said officials were notified of the unauthorized access on July 2.
Last week, the state and UpGuard signed a “certificate of destruction” to confirm that the data was not released to any other entity and was destroyed, the health department said.
“When the state was notified of the unauthorized access, the Indiana Office of Technology and IDOH immediately corrected a software configuration issue and requested the records that had been accessed,” the health department said in its announcement. “Those records were returned on Aug. 4.”
The health department said it will send letters to affected Hoosiers to notify them that the state will provide one year of free credit monitoring.
When informed that UpGuard disputed its characterization of the events, the department said it stood by its comments.