HARRISBURG, Pa. — Multiple investigations are underway after a contact tracing data breach exposed personal health information of 72,000 Pennsylvanians. The unsecured information was collected by employees of Insight Global—the company paid around $30 million in taxpayer money to perform contact tracing in the state.
“You could see people’s phone numbers, how many kids they had, their kids’ names, other family members’ names., there was some medical information in there,” said State Representative Jason Ortitay, a republican who serves portions of Washington and Allegheny counties.
Representative Ortitay was shown a spreadsheet that contained detailed information from thousands of people who thought they were releasing confidential information to contact tracers with the Department of Health. He was shocked to learn this data was not encrypted or otherwise protected by Insight Global.
“From the briefing I got this morning from the Governor’s Office, there were several employees of Insight Global that ignored or purposefully avoided security protocols, I don’t know whether to make their job easier or what,” Rep. Ortitay said. “They were basically putting information and people’s names into Google documents and then they were sharing them amongst each other.”
Department of Health officials assert their data systems, including the COVID Alert PA app, have not been impacted. A department spokesperson said they are “extremely dismayed” and will not renew its contract with Insight Global when it expires July 31, 2021.
Some state lawmakers are calling on the Wolf Administration to terminate the contract immediately, stating that the public’s confidence in the company is gone. Many are worried about the impact this will have, not only on the victims, but on the state’s contact tracing efforts to mitigate the spread of COVID-19.
Representative Ortitay said the Department of Health could have acted sooner on this major data breach. He told FOX43 that he alerted the Governor’s Office about a potential breach earlier this month after concerns about unsecure personal information were brought to his office.
“There was a two to three week period where I brought them information and told them what was going on and they either did nothing or they didn’t look into it enough, which is even more disappointing because how many more people’s information was compromised during that period?” Rep. Ortitay questioned.
A representative from Insight Global said the company is taking all necessary steps to secure any personal information and intends to learn from this incident. The company will be offering free credit monitoring and identity protection services to those affected.
The Department of Health is requiring Insight Global to notify all impacted individuals. A call center will open Friday, April 30 at 1:00 p.m. for anyone concerned that their information might have been subject to the security incident. The hotline —1-855-535-1787 — will then be staffed Monday through Friday, from 9:00 a.m. to 9:00 p.m.
Here is the full statement from the Department of Health:
"The Department of Health recently became aware that certain employees of Insight Global — a vendor contracted by DOH in 2020 to provide contact tracing and other similar services — disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the Commonwealth. These documents existed separately from the official data that Insight Global employees were collecting and providing to DOH within secure data platforms. No Commonwealth IT assets or systems, including the COVID Alert PA app, were involved or compromised.
The Department of Health takes the safety and security of individuals’ personal information extremely seriously. We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals. Immediately after becoming aware, the Department took swift action demanding Insight Global properly secure the documents. Insight Global engaged third-party IT specialists and immediately began a forensic investigation to identify all individuals who might be impacted.
While the forensic investigation is ongoing, the documents did not contain financial account information, addresses, or social security numbers. We do know that some of the documents contained a minimum of 72,000 individuals’ names and some of the names are associated with additional information such as phone numbers and email addresses along with personal information such as gender, age, sexual orientation, and COVID diagnosis and exposure status.
As a result of this incident, the Department of Health has informed Insight Global that it will not renew the contract when it expires July 31, 2021. The department is evaluating how to appropriately onboard resources to meet the public health needs of Pennsylvanians.
The Department is requiring Insight Global to notify all impacted individuals. Additionally, a toll-free hotline — 1-855-535-1787 — will open on Friday, April 30, for anyone concerned that their information might have been subject to this security incident. The hotline will be staffed Monday through Friday, from 9:00 a.m. to 9:00 p.m. While no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident."
Insight Global released the following statement to FOX43 News:
"Insight Global announced today that some personal information, collected by our employees during COVID-19 contact tracing in Pennsylvania, may have been accessible to persons beyond authorized employees and public health officials. We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted. All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this. We remain committed to continue helping slow the spread of COVID-19 in Pennsylvania.
Insight Global is contracted by the Commonwealth of Pennsylvania to provide services for the Pennsylvania Department of Health to obtain information to help slow the spread of the virus and to identify and address any needs for specific social support services. At this time, we believe the impacted information consisted of names of individuals who may have been exposed to COVID-19, whether they were positive or negative for COVID-19, if they experienced symptoms, information about number of members in household, and for certain individuals, email and telephone numbers and information to address any needs for specific social support services. These individuals were contacted for purposes of contact tracing between September 2020 and April 21, 2021, although only a portion of individuals contacted during this period were affected. Insight Global did not collect Social Security numbers, financial account information, or payment card information, and that type of information was not involved in this incident.
Although Insight Global has robust security on its in-house platforms, as part of an unauthorized collaboration channel, certain employees set up and used several Google accounts for sharing information. Documents related to contact-tracing collection were included among the information that may have been vulnerable to access.
Insight Global leadership became aware of this security vulnerability on April 21, 2021 and immediately took steps, completed by April 23, 2021, to secure and prevent any further access to or disclosure of information. To support this effort, leading third-party IT security specialists were engaged to help determine the nature and scope of the incident, and it is continuing those efforts to detect any unauthorized disclosure of this information. In addition, we worked with these specialists to identify documents that may have been vulnerable, as well as determine the nature of the information that may have been vulnerable. We have worked closely with the Pennsylvania Department of Health to identify any individuals whose information may have been affected. Individuals whose information may have been affected will also be notified by mail once address information is identified.
Although neither Insight Global nor the Commonwealth of Pennsylvania are aware at this time of the misuse of the information involved, we understand the concern that this potential access to such information may raise. Insight Global is offering credit monitoring and identity protection services at no cost through TransUnion to those affected by this incident. A dedicated call center will open on Friday, April 30, 2021 at 1:00 pm Eastern time to help address questions about this incident. For further information or to learn more about the credit monitoring being offered, individuals may call toll free: 1-855-535-1787, Monday through Friday, from 9:00 a.m. to 9:00 pm Eastern Time."