HARRISBURG, PA (WSKG) — A vendor working with the Pennsylvania Department of Health failed to secure the private information of more than 72,000 people, including sensitive details such as sexual orientation and whether the person was exposed to someone with COVID-19.
Since 2020, Insight Global has provided COVID-19 contract tracing services for the Pennsylvania Health Department.
Health department spokesman Barry Ciccocioppo said his agency recently learned the Atlanta, Georgia-based company “disregarded security protocols” and “created unauthorized documents.”
“Immediately after becoming aware, the Department took swift action demanding Insight Global properly secure the documents,” Ciccocioppo said. “Insight Global engaged third-party IT specialists and immediately began a forensic investigation to identify all individuals who might be impacted.”
Some of the online documents included phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status, Ciccocioppo said. More than 72,000 people were listed in the documents.
The department doesn’t know how many people may have viewed or downloaded the documents, Ciccocioppo said.
The department says it is requiring the firm to notify everyone affected. Insight Global was not immediately available for comment. The department will not renew its contract with the company when it expires July 31.
For Republican state Rep. Jason Ortitay, that’s not soon enough.
“I think first and foremost, the contract needs to be terminated immediately, today,” Ortitay said.
The lawmaker said he first became aware of the problem more than three weeks ago when a reporter met with him and showed him a laptop with what looked like a Google spreadsheet listing thousands of names and corresponding information.
Ortitay set up a meeting with the governor’s office to explain the problem. A week later, he got a call back, saying there was no issue. He is calling for a house oversight committee investigation.
He noted that the contract was awarded to the company without a competitive bid, something that was allowed because of the governor’s emergency declaration. The state paid Insight Global $23 million to supply 1,000 contact tracers.
He said he understands that there was a need to quickly set up a contact tracing system, but the state failed to maintain oversight of the company.
“Why wasn’t the administration doing more to make sure the vendors were following the rules of the contract, to make sure peoples’ information was safe and secure?”
Republican state House Majority Leader Kerry Benninghoff said the incident is an “incredibly careless and damaging breach of trust.”
“In the throes of a global pandemic, they trusted this administration to do the right thing with their personal, identifiable information in an effort to keep people safe,” Benninghoff said. “That trust has been broken.”
According to WPXI-TV, which broke the story, former workers at Insight Global said they told supervisors, but nothing was done to protect the information.
WPXI confirmed it could access personal information on a website.
Following the incident, Insight Global set up a toll-free hotline, 1-855-535-1787, that goes live Friday, for anyone concerned that their data was compromised.
“The hotline will be staffed Monday through Friday, from 9:00 a.m. to 9:00 p.m., “Ciccocioppo said. “While no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident.”
In a press release, Insight Global said it deeply regrets the data breach.
“All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this. We remain
committed to continue helping slow the spread of COVID-19 in Pennsylvania.”