[BreachExchange] Lawsuit Filed Over Contact Tracing Data Breach

[Destry Winant]

https://www.infosecurity-magazine.com/news/lawsuit-filed-over-contact-tracing/

A federal lawsuit has been filed against Pennsylvania and a vendor
contracted by the state's Department of Health (DOH) over a data breach
that exposed the personal health information (PHI) of thousands of
Pennsylvanians.

The DOH hired Atlanta-based company Insight Global in 2020 "to provide
contact tracing and other similar services" following the outbreak of
COVID-19. The Department later said that employees of the company caused a
data breach by creating "unauthorized documents outside of the secure data
systems created by the Commonwealth."

Information exposed in the data breach included names, phone numbers, and
medical information belonging to 72,000 individuals.

The data breach was first reported by WPXI TV show Target 11 on April 30
after the show's team learned of the incident via a whistleblower. The
show's investigator Rick Earle today reported that a lawsuit has been filed
over the breach.

Insight Global and the Pennsylvania Department of Health are named as
defendants in the suit, which claims that data breach victims now face an
increased risk of identity theft.

The plaintiffs allege that the data breach was a “direct result of
Defendants’ failure to implement adequate and reasonable cybersecurity
procedures and protocols."

In the suit, Insight Global is accused of maintaining “unsecure
spreadsheets, databases and or documents containing the PHI (public health
information).”

In a statement by the company sent to Earle, Insight Global claimed to be
unaware of any litigation regarding the data breach.

“Insight Global has not been served with the lawsuit and will need time to
analyze any allegations, but can say that we are working closely with the
Pennsylvania Department of Health to identify any individuals whose
information may have been affected and have taken steps to secure and
prevent any further access to, or disclosure of, information," stated the
company.

The DOH has stated that it will not be renewing its contract with Insight
Global after it expires on July 31. State representatives meeting in
Harrisburg on Monday reportedly called for the contract to be terminated
immediately and for an investigation into the breach to be launched by a
state House Oversight Committee.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210510/4b6e48a3/attachment.html>