Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Contract Tracing Breach Impacts Private Info of 72K People

Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.

Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.

Workers at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system, Health Department spokesman Barry Ciccocioppo said.

“We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals,” Ciccocioppo said. He said state computer systems, including Pennsylvania’s contact tracing app, were not implicated.

Insight Global acknowledged it mishandled sensitive data and apologized. The company has been paid about $28.7 million since March 2020, according to the state Treasury Department.

Ciccocioppo said some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and COVID-19 diagnoses and exposure status. They did not include financial account information, addresses or Social Security numbers, he said.

The company has been directed to secure the records and has hired third-party specialists to conduct a forensic examination.

The data breach was first reported Thursday by WPXI-TV in Pittsburgh, and state lawmakers were briefed on the problem Thursday morning.

House Majority Leader Kerry Benninghoff, R-Centre, called it an “incredibly careless and damaging breach of trust.”

“This latest example of gross mismanagement by the Wolf administration speaks volumes to the dangers of unchecked, unilateral executive authority and why the people’s voice through their elected representatives and senators needs to be heard during challenging times,” Benninghoff said.

He said the state’s agreement with Insight Global was not competitively bid. About 900 Insight Global employees have been involved in contact tracing in the state, according to the Health Department.

In a statement Thursday, Insight Global said it became aware on April 21 that employees had set up several unauthorized Google accounts for sharing information, including the names of people who might have been exposed to COVID-19, whether they had any symptoms, how many people lived with them and, in some cases, their email addresses and phone numbers.

The company called it an “unauthorized collaboration channel” that is not subject to the “robust security” of its in-house software. Insight Global said it acted to secure the information by April 23.

“We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted,” the company’s statement said. “All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this. We remain committed to continue helping slow the spread of COVID-19 in Pennsylvania.”

The company also said it was unaware of “the misuse of the information involved,” but that its third-party security specialists are continuing their work to detect any unauthorized disclosures.

WPXI said former employees of Insight Global told the station they alerted supervisors that information had been improperly secured but no action had been taken.

The Department of Health’s emergency contract with Insight Global required the staffing agency to safeguard people’s data and, in the event of “any improper disclosure of information,” to provide credit monitoring and other remedies. It also required Insight Global to comply with federal health privacy law.

Contract documents said Insight Global “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.”

The Health Department plans to drop Insight Global once its contract expires in three months. The company said it will notify people affected by the data breach and will open a daytime hotline starting Friday afternoon for anyone concerned. That number is 855-535-1787.

Free credit monitoring and identity protection services will be offered.

Insight Global, which started a health care division during the pandemic and bills itself as a “leading talent solutions firm,” was under pressure to scale up quickly. The company had to hire 250 contact tracers within 35 days, then bring on additional workers every two weeks until the effort was fully staffed.

Related: Dutch Government Pauses Coronavirus App Over Data Leak Fears

Related: Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps

Related: European Virus Tracing Apps Highlight Battle for Privacy

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...