The Indiana Department of Health says someone “improperly accessed” the state’s COVID-19 contact tracing data. Indiana Chief Information Officer Tracy Barnes said in a press release that the data was accessed by a company “that intentionally looks for software vulnerabilities, then reaches out to seek business.”
The information obtained includes name, address, email, gender, ethnicity, race, and date of birth. State Health Commissioner Dr. Kris Box says no medical information was obtained, and contact tracers do not collect Social Security information.
State officials say they learned about the data breach on July 2. The state and the company that accessed the data signed a “certificate of destruction” last week, confirming that the data wasn’t released to anyone else.
Now, the Indiana Department of Health plans to offer a year of free credit monitoring to nearly 750,000 affected Hoosiers. State officials say they’ve corrected the issue with the software configuration, and they’ll continue regular scans to make sure the information wasn’t transferred.