Editor’s Note: Find the latest news and guidance on COVID-19 in Medscape Coronavirus Resource Center.
HARRISBURG, PA (AP) – Employees of a paid salesperson to track COVID-19 contacts in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and sexual orientation, as reported Thursday by the state Department of Health.
Atlanta-based Global Insight workers “ignored the security protocols set out in the contract and created unauthorized documents” outside the state’s secure data system, the Department of Health spokesman said. Barry Ciccocioppo.
“We are extremely dismayed that Insight Global employees have acted in a way that may have compromised this type of information and sincerely apologize to all those affected,” Ciccocioppo said. He said state computer systems, including the Pennsylvania contact tracking app, were not involved.
Insight Global acknowledged that it mishandled sensitive data and apologized. According to the State Treasury Department, the company has paid about $ 28.7 million since March 2020.
Ciccocioppo said some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and diagnoses of COVID-19 and exposure status. They did not include financial account information, addresses or Social Security numbers, he said.
The company has received instructions to secure the records and has hired third-party specialists to conduct a forensic examination.
WPXI-TV first reported data breaches in Pittsburgh, and state lawmakers were briefed on the issue Thursday morning.
House Majority Leader Kerry Benninghoff of the R center called it an “incredibly careless and damaging breach of trust.”
“This latest example of brutal mismanagement by the Wolf administration speaks volumes about the danger of an uncontrolled unilateral executive authority and why the voice of the people must be heard through their elected representatives and senators in difficult times.” said Benninghoff.
He said the state’s deal with Insight Global was not a competitive bid. According to the Department of Health, about 900 Insight Global employees have been involved in tracking contacts in the state.
In a statement, Insight Global said on April 21 it learned that employees had created several unauthorized Google Accounts to share information, including the names of people who may have been exposed to COVID-19, if they had some symptoms, how many people lived with them, and in some cases, their email addresses and phone numbers.
The company called it an “unauthorized collaboration channel” that is not subject to the “robust security” of its internal software. Insight Global said it acted to protect the information before April 23rd.
“We deeply regret that this has happened and are committed to restoring the confidence of all Pennsylvania residents who may have been affected,” the company statement said. “All necessary steps are being taken to secure any personal information, and we intend to learn and grow from it. We remain committed to continuing to help curb the spread of COVID-19 in Pennsylvania.”
The company also said it was unaware of “the misuse of the information involved,” but that its third-party security specialists continue its work to detect any unauthorized disclosure.
WPXI said former Insight Global employees told the station that they alerted supervisors that the information had been incorrectly secured but no action had been taken.
The Department of Health’s emergency contract with Insight Global required the personnel agency to protect people’s data and, in the event of “improper disclosure of information,” provide credit oversight and other resources. It also required Insight Global to comply with federal health privacy law.
The contract documents stated that Insight Global “recognizes and accepts that the contact tracking template will have access to personal information about the health of the people performing the contact tracking and must ensure that all such information related to the services is must be kept confidential and secure. “
The Department of Health plans to withdraw Insight Global once its contract expires in three months. The company said it will notify people affected by the data breach and will open a daytime hotline starting Friday afternoon for anyone interested. This number is 855-535-1787.
Free credit monitoring and identity protection services will be provided.
Insight Global, which started a healthcare division during the pandemic and is proposing itself as a “leading talent solutions company,” was under pressure to grow rapidly. The company had to hire 250 contact tracers within 35 days, and then incorporate additional workers every two weeks until the effort was fully endowed.