Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians.

The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services.

The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google Sheets, which lacked appropriate security controls. That meant sensitive information was transferred to servers outside the state’s secure data system.

Individuals whose personal information was exposed had been contacted for the purpose of contact tracing between September 2020 and April 21, 2020. The exposed data included names, emails, phone numbers, ages, genders, COVID-19 diagnoses, and individuals’ exposure status. The Department of Health has confirmed that the contract with Insight Global expires at the end of July and will not be renewed.

The Department of Health is alleged to have been aware about the breach several months before any notification was issued. State Rep. Jason Ortitay said he was made aware of the breach on April 1, 2021 and contacted the state governor to voice concerns. The governor confirmed that the matter had been raised several months previously and the claims were found to be invalid.

Now a lawsuit has been filed in Federal court against Department of Health and Insight Global. The lawsuit alleges the 72,000 individuals whose information was exposed are now at risk of identity theft, fraud, and credit problems due to the exposure of their personal data.

The lead plaintiff, Lisa Chapman from New Kensington, initiated the legal action after discovering her information had been exposed. The lawsuit alleges both the Department of Health and Insight Global were negligent for failing to implement appropriate cybersecurity procedures and did not follow industry standards for protecting the private health information of individuals. The lawsuit alleges the state Department of Health was made aware of the breach as early as November 2020 yet did not take action over the breach until April and failed to notify individuals impacted by the breach until April 29, 2021.

The lawsuit alleges documents were put in the public domain where they could have been accessed by anyone. “These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” according to the lawsuit. “Insight was aware that its employees were using unsecured data storage and communications methods as early as November 2020.”

The lawsuit seeks class action status, a jury trial, equitable relief, payment of credit monitoring and identity theft protection services for several years, reimbursement of legal costs, and for the Department of Health and Insight Global to implement appropriate security measures.

While information was transferred to unsecured services where it could potentially have been accessed by unauthorized individuals, the Department of Health and Insight Global are not aware of any cases of actual or attempted misuse of any personal and health information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.