UPDATED A security vendor has disputed claims that it improperly accessed personal data collected through the US state of Indiana’s Covid-19 contact tracing survey.
In a statement issued on Tuesday (August 17), the Indiana Department of Health said it was notifying nearly 750,000 citizens that data to the survey was “improperly accessed”.
The exposed information included name, address, email, gender, ethnicity, and date of birth, but it did not include medical information or sensitive financial information, according to state officials.
“We believe the risk to Hoosiers whose information was accessed is low,” said State Health Commissioner Kris Box.
“We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained.”
Box added: “We will provide appropriate protections for anyone impacted.”
Publicly accessible
Citizens are being offered a year’s complimentary credit monitoring services, while techies in Indiana have corrected a “software configuration issue” that resulted in the inadvertent data leak.
Although not named in its official statement, a spokesperson for Indiana told the Associated Press that cybersecurity firm UpGuard was responsible for the “inappropriate access”.
UpGuard criticized Indiana’s statement, telling the AP that the data was left publicly accessible on the internet.
The Daily Swig approached Indiana for comment on the exact cause of the breach, as well as its response to UpGuard’s version of events.
In response, a spokesperson for Indiana confirmed that UpGuard was the firm involved, adding “we stand by the statements in our release”.
We also invited UpGuard to comment but we’re yet to hear back.
This story will be updated as and when more information comes to hand.
Source: https://portswigger.net/daily-swig/whistleblowing-security-researchers-deny-inappropriate-access-to-indiana-covid-19-survey-data
