(*This story was updated at 4:55 p.m. on Thursday, 4/29/21 with comment from Insight Global, state Rep. Jason Ortitay, and the Wolf administration)
A private vendor that the Pennsylvania Department of Health hired to contact trace COVID-19 cases in the commonwealth ignored security protocols and established an unauthorized database with the personal information of tens of thousands of Pennsylvanians, potentially compromising confidential health data.
The names of at least 72,000 Pennsylvania residents were included in spreadsheets maintained by Atlanta-based Insight Global, some of which were associated with contact information, demographic data, and a COVID-19 diagnosis, according to Barry Ciccocioppo, a spokesperson for the Department of Health.
This information was contained outside of the Department of Health’s own secure data systems, Ciccocioppo said.
The unsecured spreadsheets did not contain financial account information, addresses, or social security numbers, he added, and no state IT assets or systems, including the COVID Alert PA app, were involved.
As of Thursday, Insight Global said it was unaware of any misuse of the data, but “we understand the concern that this potential access to such information may raise,” the company said in a statement.
The data breach was first reported by WPXI-11, a Pittsburgh TV station. Insight Global had received a $23 million contract from the state in 2020 to hire 1,000 people to collect the travels and potential contacts of people positive for, or exposed to, COVID-19.
But employees told WPXI-11 that the data collected from Pennsylvanians was not secured, and that supervisors did not address the issue when informed.
In a statement, Insight Global said that they were made aware of the problem on April 21, and addressed it over the next two days.
“Although Insight Global has robust security on its in-house platforms, as part of an unauthorized collaboration channel, certain employees set up and used several Google accounts for sharing information,” the company said. “Documents related to contact-tracing collection were included among the information that may have been vulnerable to access.”
The department will not renew its contract with Insight Global, which expires July 30, Ciccocioppo said. It also will require that Insight Global contact all impacted individuals.
According to one state lawmaker, the Wolf administration was made aware of concerns but did not fully respond until last week.
State Rep. Jason Ortitay, R-Washington, told the Capital-Star he was contacted by a reporter about the issue in early April, and after conferring with House Republican staff, shared the reporter’s findings with Wolf’s chief of staff.
Wolf’s chief of staff responded to Ortitay a few days later that the administration had investigated similar claims months ago and found them to be false.
“Whoever he got his information from was obviously very wrong,” Ortitay told the Capital-Star.
A week later, the Department of Health finally acknowledged the data breach, Ortitay added.
He argued that the administration should suspend the contract immediately, and wanted the attorney general and the legislature to investigate what went wrong.
Lyndsay Kensinger, spokesperson for Wolf, said that “the insinuation that the Chief of Staff was dishonest in his interactions with the representative is offensive and false.”
The information announced today, Kensinger added, wasn’t available when Ortitay and Wolf’s top staffer talked earlier this month.