Thousands in Pa. could have compromised health data. A Senate panel wants answers

Officials from the state Health Department were a no-show, but that didn’t stop a state Senate panel from asking questions about a contact-tracing data breach that may have left thousands of Pennsylvanians’ private health information exposed.

“What kind of liability now has this exposed residents of Pennsylvania, our taxpayers? What are they going to be on the hook for with all these data breaches and what liabilities are out there?” Sen. Pat Stefano, R-Fayette, of the Senate Communications and Technology Committee, said Tuesday. “These are the questions that I have, and as you can see — the chairs are empty. We don’t have answers.”

The Senate panel met Tuesday to discuss Insight Global and the potentially compromised health data of at least 72,000 Pennsylvanians. The security breach occurred while employees of the Atlanta-based contractor conducted statewide COVID-19 contact tracing under a $23 million federally-funded contract.

“How were they watching what this contractor was doing? This is Pennsylvania’s private data that they were dealing with,” Stefano said. “Who was asking those questions; who was making sure? We need to know.”

The Health Department begged off Tuesday’s hearing, saying pending litigation barred the agency from appearing. 

In a July statement, the Health Department said it picked the contractor based on its “ability to operationalize a large-scale, well-resourced program quickly and efficiently. However, an investigation from WPXI-11, a Pittsburgh television station, revealed that thousands of residents’ personal information had been compromised, and the vendor created an unauthorized database to store contacts’ information.

A 27-page federal lawsuit names the Health Department and Insight Global as defendants and alleges that the documents were “widely available” to the public through a Google search and did not require a password, login or authentication to view.

Though the suit also alleges that Insight Global was aware that employees were using insecure storage and communications methods, the contractor said it was unaware of any data misuse.

Last month, Health Department Communications Director Barry Ciccocioppo told the Capital-Star that the unsecured spreadsheets did not contain financial account information, addresses or social security numbers. He added that no state IT assets or systems were involved, including the COVID Alert PA app.

Ciccocioppo said the department will not renew its contract with Insight Global, which expires July 30, and it has required the vendor to contact all impacted individuals.

“The Department of Health was planning to participate in today’s Senate hearing,” Maggi Barton, the department’s deputy press secretary, said Tuesday. “However, once a lawsuit against the department was filed, we were unable to accept the invitation because we do not comment on matters relating to pending litigation.”

Though lawmakers were hoping to address their concerns and unanswered questions during Tuesday’s hearing, they were met with empty chairs due to the DOH’s inability to comment on pending legal matters.

“The original purpose of today’s public hearing was to understand the simple questions that we’ve been asked by our constituents,” the panel’s chairperson, Sen. Kristin Phillips-Hill, R-York, said. “When did the department know? Who is impacted? What information do these contact tracers have in their possession? Why didn’t the department immediately cancel its contract with the vendor? And where does this data go after the pandemic is over?”

In March 2018, Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber Technologies, Inc. for violating the state’s data breach notification law. At least 13,500 state Uber drivers were affected when their first and last names and their drivers’ license numbers were stolen. 

Six months later, Shapiro announced a settlement agreement with the ride-sharing company that required Uber to pay $5.7 million to the AG’s office and take steps to keep employee information secure.

Phillips-Hill urged Shapiro to take similar action and investigate the contact tracing data breach. A spokesperson for Shapiro did not disclose whether his office plans to look into the issue further.

“These allegations about a contractor failing to safeguard people’s personal data are concerning,” Shapiro’s office said in a statement. “Our office is aware of these allegations and cannot comment further at this time.”

In the meantime, Phillips-Hill said committee members plan to evaluate “all tools at our disposal” — including issuing subpoenas — to exercise oversight.

“Oversight is one of the most important roles that the General Assembly fills,” Phillips-Hill said, adding that the committee will work to provide the “transparency and accountability that is lacking” with the Health Department’s contract.