Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians

Lawmakers in the Commonwealth of Pennsylvania are calling for an investigation into a data breach involving the contact tracing information of 72,000 Pennsylvanians after it was discovered that sensitive information was being shared via unauthorized channels without the necessary security protections.

Insight Global is an Atlanta-based firm that has been assisting the Commonwealth of Pennsylvania with COVID-19 contact tracing during the pandemic. Several individuals employed by Insight Global were discovered to have created and shared unauthorized copies of documents with each other in the course of conducting their contact tracing duties. Documents and spreadsheets were shared via non-secure channels such as personal Google accounts, which meant sensitive data were sent to servers outside the control of the state or Insight Global.

Insight Global announced the breach on April 29, 2021 and said in its substitute breach notice that the data related to contract tracing of individuals between September 2020 and April 21, 2021. An investigation into the breach has been launched and third-party security experts have been assisting to determine the extent of the security issues and their impact. So far, no evidence has been found to suggest any personal or health information has been misused. The investigation into the security issues is ongoing.

Insight Global reports that the exposed information included names of individuals potentially exposed to COVID-19, positive/negative test status, whether symptoms were experienced, information on the names of household members, and email addresses, telephone numbers and other data necessary for specific social support services.

Insight Global said it became aware of the security issue on April 21, 2021 and took immediate steps to resolve the issues, and those steps were completed by April 23. Insight Global has been working closely with the Pennsylvania Department of Health since the discovery of the security issues and will be notifying affected individuals by mail once address information has been verified. Insight Global said no Social Security numbers or financial information have been exposed and, out of an abundance of caution, affected individuals are being provided with complimentary credit monitoring and identity protection services.

An investigation conducted by Target 11 found employees had been recording contact tracing information in the free versions of Google Sheets and were sharing those spreadsheets and other documents with colleagues via personal email accounts for contact tracing purposes. The free versions of these Google services are not HIPAA compliant and should not have been used.

Insight Global had security protocols in place to ensure contact tracing data could be recorded and shared securely. It is currently unclear whether this was simply a case of isolated employees circumventing security protocols and creating unauthorized documents and spreadsheets to make their work easier. However, regardless o the cause, sensitive data has been exposed.

The Commonwealth of Pennsylvania has decided not to renew its contract with Insight Global over the security breach. The contract is set to expire on July 31, 2021. A spokesperson for the Pennsylvania Department of Health said, “We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.”

State Representative Jason Ortitay (R- Allegheny, Washington) claims to have learned about the breach weeks ago and raised the alarm with the state Governor’s office on April 1, 2021. Republican lawmakers are now calling for an investigation into the security breach by the state Attorney General’s office, House Government Oversight Committee, and federal law enforcement agencies.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.