The Pennsylvania Department of Health along with its COVID-19 contact tracing vendor are being sued due to a breach of the personal and health information of 72,000 Pennsylvanians.
Insight Global and the Department of Health reported the breach in question on April 29, 2021. The IT service management and staffing company Insight Global got awarded the contract to do the state’s contact tracing program and was granted access to personal and medical data in order to provide those services.
The information was utilized to contact people possibly exposed to COVID-19 to identify and deal with the precise support services required and to help reduce the spread of COVID-19. Insight Global had provided its contact tracers with secure communication channels and had set up security standards, however, it was found out that a number of workers had ignored security practices established in the contract and made unauthorized records. Those documents, which include spreadsheets, were shared between contact tracers utilizing private email accounts and consumer versions of cloud platforms like Google Sheets, which didn’t have proper security controls. That meant sensitive data was transmitted to servers outside the state’s protected data system.
The persons whose personal information was exposed had been contacted for contact tracing purposes between September 2020 and April 21, 2020. The compromised information included names, phone numbers, emails, ages, genders, COVID-19 diagnoses, and exposure status of individuals. The Department of Health has stated that the agreement with Insight Global will end this July and will not be renewed.
Allegedly, the Department of Health knew about the breach a few months before the issuance of any notification. State Rep. Jason Ortitay stated he was informed of the breach on April 1, 2021 and called the state governor to express concerns. The governor affirmed that the matter was raised a number of months earlier and the statements were found to be incorrect.
Right now a lawsuit has been submitted in Federal court against the Department of Health and Insight Global. The lawsuit claims the 72,000 people whose data was compromised are currently in danger of identity theft, fraud, and credit issues because of the compromise of their personal data.
The lead plaintiff, Lisa Chapman from New Kensington, began the legal action right after finding out about the exposure of her information. The lawsuit states the Department of Health and Insight Global were at fault for screwing up to implement correct cybersecurity processes and didn’t adhere to industry requirements for safeguarding the private health data of people. The lawsuit states the state Department of Health was made conscious of the incident as soon as November 2020 yet failed to do something about the breach until April and did not inform people impacted by the breach until April 29, 2021.
The lawsuit claims files were stored in the public domain where anyone could access them. People could do a Google search and access the information without requiring any password to log in and view. Insight was aware that its staff was using unsecured data storage and communications channels as early as November 2020.
The lawsuit is seeking class-action status, a jury trial, equitable relief, compensation of credit monitoring and identity theft protection services for a number of years, repayment of legal expenses, and for the Department of Health and Insight Global to use appropriate security measures.
Although the information was copied to unsecured services where it can likely have been accessed by unauthorized persons, Insight Global and the Department of Health are not advised of any instances of actual or attempted misuse of any personal and health data.