Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.
Workers at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system, Health Department spokesman Barry Ciccocioppo said.
“We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals,” Ciccocioppo said. He said state computer systems, including Pennsylvania’s contact tracing app, were not implicated.
Insight Global acknowledged it mishandled sensitive data and apologized. The company has been paid about $28.7 million since March 2020, according to the state Treasury Department.
Ciccocioppo said some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and COVID-19 diagnoses and exposure status. They did not include financial account information, addresses or Social Security numbers, he said.
The company has been directed to secure the records and has hired third-party specialists to conduct a forensic examination.
The data breach was first reported Thursday by WPXI-TV in Pittsburgh, and state lawmakers were briefed on the problem Thursday morning.
House Majority Leader Kerry Benninghoff, R-Centre, called it an “incredibly careless and damaging breach of trust.”
“This latest example of gross mismanagement by the Wolf administration speaks volumes to the dangers of unchecked, unilateral executive authority and why the people’s voice through their elected representatives and senators needs to be heard during challenging times,” Benninghoff said.
He said the state’s agreement with Insight Global was not competitively bid. About 900 Insight Global employees have been involved in contact tracing in the state, according to the Health Department.
In a statement Thursday, Insight Global said it became aware on April 21 that employees had set up several unauthorized Google accounts for sharing information, including the names of people who might have been exposed to COVID-19, whether they had any symptoms, how many people lived with them and, in some cases, their email addresses and phone numbers.
The company called it an “unauthorized collaboration channel” that is not subject to the “robust security” of its in-house software. Insight Global said it acted to secure the information by April 23.
“We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted,” the company’s statement said. “All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this. We remain committed to continue helping slow the spread of COVID-19 in Pennsylvania.”
The company also said it was unaware of “the misuse of the information involved,” but that its third-party security specialists are continuing their work to detect any unauthorized disclosures.
WPXI said former employees of Insight Global told the station they alerted supervisors that information had been improperly secured but no action had been taken.
The Department of Health’s emergency contract with Insight Global required the staffing agency to safeguard people’s data and, in the event of “any improper disclosure of information,” to provide credit monitoring and other remedies. It also required Insight Global to comply with federal health privacy law.
Contract documents said Insight Global “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.”
The Health Department plans to drop Insight Global once its contract expires in three months. The company said it will notify people affected by the data breach and will open a daytime hotline starting Friday afternoon for anyone concerned. That number is 855-535-1787.
Free credit monitoring and identity protection services will be offered.
Insight Global, which started a health care division during the pandemic and bills itself as a “leading talent solutions firm,” was under pressure to scale up quickly. The company had to hire 250 contact tracers within 35 days, then bring on additional workers every two weeks until the effort was fully staffed.