Department of Health Acting Secretary Alison Beam speaks at a press conference. Harrisburg, PA – February 17, 2021
It’s believed that an unauthorized document with the health information of 76,000 Pennsylvanians has been scrubbed from the internet, the state’s top health official told a legislative panel on Wednesday.
For the first time since a contact tracing data breach in April exposed thousands of Pennsylvanians’ private health information, state health officials met with lawmakers to discuss a new $34 million contract with another third-party vendor.
The hearing before the Senate Health and Human Services and Communications and Technology committees comes after the state Health Department severed ties with Insight Global, a contact tracing company that violated protocol by storing private information on a publicly accessible document.
Due to pending litigation, acting state Health Secretary of Health Alison Beam and Executive Deputy Secretary Keara Klinepeter couldn’t say much about the data breach but reassured lawmakers that state data systems remain secure. They added that — to their knowledge — the Google document is no longer circulating.
Beam confirmed that Google was contacted about the breach but could not comment on their response, citing legal concerns.
“We are not aware of any Google Doc that continues to exist with any sort of access from former employees of Insight Global that have publicly identified Pennsylvanians’ information on it,” Beam said.
Beam added that no state database, including the COVID Alert PA mobile app, was compromised by the data breach.
Beam said that Insight Global used a third-party contractor to identify all potentially affected individuals and opened a free hotline to help those impacted, including a free service to monitor credit information.
Since ending its $23 million contract with Insight Global on May 20, the Health Department has used the National Guard for contact tracing services in Pennsylvania. The National Guard is acting under federal orders — meaning that the federal government is paying for services, Beam said.
Last month, the Department of General Services approved the Health Department’s request for a year-long contract with Boston-based Public Consulting Group to serve as the state’s new contact tracing vendor, but the agreement isn’t yet complete.
Sen. Michele Brooks, R-Mercer, and other panelists suggested the Health Department consider contracting with a Pennsylvania-based company. Sen. Cris Dush, R-Jefferson, questioned why the new contract is $11 million more than the agreement with Insight Global.
The increase, Beam said, is reflective of a rate needed to address what could be a rise in COVID-19 cases when students and educators return to school — adding that “there’s a potential to have those cases increase again.”
State health officials were expected to discuss the data breach before the Senate Communications and Technology Committee in May. Citing pending litigation, Beam backed out, but that didn’t stop lawmakers from asking questions about how the breach occurred and how many people were affected.
Sen. Kristin Phillips-Hill, R-York, who chairs the Senate Communications and Technology Committee, has been a vocal critic of the Health Department’s handling of the situation with Insight Global, but on Wednesday, she and other panelists were focused on asking how Pennsylvanians will be protected in the future.
“We have an opportunity to work collaboratively — the executive branch, the legislative branch,” she said. “We have an opportunity through collaboration, to first rebuild trust in the commonwealth to assure data privacy, the protection of very sensitive personal information of the people of this commonwealth.”
The new contract, Beam said, will include safeguards to ensure the vendor handles private information and has controls to prevent sharing health data. Similar terms were included in the Insight Global contract, but Beam said the Health Department has “bolstered” expectations, security, and guidelines to prevent a future breach and enhance vendor accountability.
With the new vendor, information will be restricted to state-monitored systems, so there won’t be an opportunity to share data through an unauthorized database, Beam said.
If and when the contract ends, the Health Department will keep statewide contact tracing services in-house, Beam said. She added that as vaccinations continue and case counts decline, contact tracing efforts can scale down.
“As a matter of public trust, the department takes the safety and security of individuals’ personal information very seriously,” Beam testified. “The contact tracing process is a core part of disease prevention and control in public health.”
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.