[BreachExchange] Contact Tracing Data Breach Exposed Personal Data For Over 72K Pennsylvanians

Mon May 3 10:20:03 EDT 2021

https://wskg.org/news/contact-tracing-data-breach-exposed-personal-data-for-over-72k-pennsylvanians/

HARRISBURG, PA (WSKG) — A vendor working with the Pennsylvania Department
of Health failed to secure the private information of more than 72,000
people, including sensitive details such as sexual orientation and whether
the person was exposed to someone with COVID-19.

Since 2020, Insight Global has provided COVID-19 contract tracing services
for the Pennsylvania Health Department.

Health department spokesman Barry Ciccocioppo said his agency recently
learned the Atlanta, Georgia-based company “disregarded security protocols”
and “created unauthorized documents.”

Contact tracers, from left to right, Christella Uwera, Dishell Freeman and
Alejandra Camarillo work at Harris County Public Health contact tracing
facility Thursday, June 25, 2020, in Houston. Photo by David J. Phillip

“Immediately after becoming aware, the Department took swift action
demanding Insight Global properly secure the documents,” Ciccocioppo said.
“Insight Global engaged third-party IT specialists and immediately began a
forensic investigation to identify all individuals who might be impacted.”

Some of the online documents included phone numbers, email addresses and
personal information such as gender, age, sexual orientation, COVID-19
diagnosis and exposure status, Ciccocioppo said. More than 72,000 people
were listed in the documents.

The department doesn’t know how many people may have viewed or downloaded
the documents, Ciccocioppo said.

The department says it is requiring the firm to notify everyone affected.
Insight Global was not immediately available for comment. The department
will not renew its contract with the company when it expires July 31.

For Republican state Rep. Jason Ortitay, that’s not soon enough.

“I think first and foremost, the contract needs to be terminated
immediately, today,” Ortitay said.

The lawmaker said he first became aware of the problem more than three
weeks ago when a reporter met with him and showed him a laptop with what
looked like a Google spreadsheet listing thousands of names and
corresponding information.

Ortitay set up a meeting with the governor’s office to explain the problem.
A week later, he got a call back, saying there was no issue. He is calling
for a house oversight committee investigation.

He noted that the contract was awarded to the company without a competitive
bid, something that was allowed because of the governor’s emergency
declaration. The state paid Insight Global $23 million to supply 1,000
contact tracers.

He said he understands that there was a need to quickly set up a contact
tracing system, but the state failed to maintain oversight of the company.

“Why wasn’t the administration doing more to make sure the vendors were
following the rules of the contract, to make sure peoples’ information was
safe and secure?”

Republican state House Majority Leader Kerry Benninghoff said the incident
is an “incredibly careless and damaging breach of trust.”

“In the throes of a global pandemic, they trusted this administration to do
the right thing with their personal, identifiable information in an effort
to keep people safe,” Benninghoff said. “That trust has been broken.”

According to WPXI-TV, which broke the story, former workers at Insight
Global said they told supervisors, but nothing was done to protect the
information.

WPXI confirmed it could access personal information on a website.

Following the incident, Insight Global set up a toll-free hotline,
1-855-535-1787, that goes live Friday, for anyone concerned that their data
was compromised.

“The hotline will be staffed Monday through Friday, from 9:00 a.m. to 9:00
p.m., “Ciccocioppo said. “While no financial information was included,
credit monitoring and identity protection services will be offered at no
cost to anyone impacted by this incident.”

In a press release, Insight Global said it deeply regrets the data breach.

“All necessary steps are being taken to secure any personal information,
and we intend to learn and grow from this. We remain
committed to continue helping slow the spread of COVID-19 in Pennsylvania.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210503/f8ee3901/attachment.html>