Contact tracing data breach exposed personal information for more than 72k people in Pa.

The state says it will not renew its contract with the agency after the incident.

  • Brett Sholtis

This story has been updated to include additional comments from Insight Global and a state lawmaker.

(Harrisburg) — A vendor working with the Pennsylvania Department of Health failed to secure the private information of more than 72,000 people, including sensitive details such as sexual orientation and whether the person was exposed to someone with COVID-19.

Since 2020, Insight Global has provided COVID-19 contract tracing services for the Pennsylvania Health Department.

Health department spokesman Barry Ciccocioppo said his agency recently learned the Atlanta, Georgia-based company “disregarded security protocols” and “created unauthorized documents.”

“Immediately after becoming aware, the Department took swift action demanding Insight Global properly secure the documents,” Ciccocioppo said. “Insight Global engaged third-party IT specialists and immediately began a forensic investigation to identify all individuals who might be impacted.”

Some of the online documents included phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status, Ciccocioppo said. More than 72,000 people were listed in the documents.

The department doesn’t know how many people may have viewed or downloaded the documents, Ciccocioppo said.

The department says it is requiring the firm to notify everyone affected. Insight Global was not immediately available for comment. The department will not renew its contract with the company when it expires July 31.

For Republican state Rep. Jason Ortitay, that’s not soon enough.

“I think first and foremost, the contract needs to be terminated immediately, today,” Ortitay said.

The lawmaker said he first became aware of the problem more than three weeks ago when a reporter met with him and showed him a laptop with what looked like a Google spreadsheet listing thousands of names and corresponding information.

Ortitay set up a meeting with the governor’s office to explain the problem. A week later, he got a call back, saying there was no issue. He is calling for a house oversight committee investigation.

He noted that the contract was awarded to the company without a competitive bid, something that was allowed because of the governor’s emergency declaration. The state paid Insight Global $23 million to supply 1,000 contact tracers.

He said he understands that there was a need to quickly set up a contact tracing system, but the state failed to maintain oversight of the company.

“Why wasn’t the administration doing more to make sure the vendors were following the rules of the contract, to make sure peoples’ information was safe and secure?”

Pa. Republican lawmakers and the U.S. Capitol attack
As part of WITF’s commitment to standing with facts, and because the Jan. 6 attack on the U.S. Capitol was an attempt to overthrow representative democracy in America, we are marking elected officials’ connections to the insurrection. Read more about this commitment.
Republican House Majority Leader state Rep. Kerry Benninghoff signed a letter asking Congress to object to electoral college vote certification. The election-fraud lie led to the attack on the Capitol.

Republican state House Majority Leader Kerry Benninghoff said the incident is an “incredibly careless and damaging breach of trust.”

“In the throes of a global pandemic, they trusted this administration to do the right thing with their personal, identifiable information in an effort to keep people safe,” Benninghoff said. “That trust has been broken.”

According to WPXI-TV, which broke the story, former workers at Insight Global said they told supervisors, but nothing was done to protect the information.

WPXI confirmed it could access personal information on a website.

Following the incident, Insight Global set up a toll-free hotline, 1-855-535-1787, that goes live Friday, for anyone concerned that their data was compromised.

“The hotline will be staffed Monday through Friday, from 9:00 a.m. to 9:00 p.m., “Ciccocioppo said. “While no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident.”

In a press release, Insight Global said it deeply regrets the data breach.

“All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this. We remain
committed to continue helping slow the spread of COVID-19 in Pennsylvania.”

 

 

Support for WITF is provided by:

Become a WITF sponsor today »

Up Next
Arts & Culture

‘We are not subjects of study!’: Protesters march on Penn Museum to decry handling of MOVE remains