Pennsylvania's contact tracing vendor made intimate details public, affecting 70,000

More than 70,000 people have been affected in a contact tracing data breach by a staffing firm that provided contact tracers to Pennsylvania, an April 30 investigation from Pittsburgh news outlet WPXI-TV uncovered.

A WPXI reporter launched an investigation after he received links to spreadsheets that were not password protected from former employees of the staffing company, Insight Global. He was able to view six months' worth of protected health information from contact tracing participants and alerted the state health department.

The former employees said they alerted their supervisors that the data was unsecured, but that nothing was done to alleviate the issue.

The PHI made public included a person's name, phone number and COVID-19 exposure.

Aside from information on a person's COVID-19 exposure, the spreadsheets contained people's shared intimate details into their home life.

One spreadsheet entry, which included the person's name and contact information, said, "She’s on psych meds for depression. She says she is suicidal."

Another entry said, "Four children in home … in full emotional support and ADHD diagnosis."

Lisa Chapman was one of the people the state department contacted for COVID-19 tracing.

"We were under the impression that this was the health department, and no one's going to see this but the health department," Ms. Chapman told WPXI. "I'm shocked."

Multiple investigations are now underway by the Pennsylvania Department of Health and the company hired to collect the information and data.

"We regret that information collected by our employees during COVID-19 contact tracing may have been made accessible to persons beyond authorized employees and public health officials," Insight Global said in a statement to WPXI. "Our first priority has been to secure and prevent any further access to or disclosure of information."

The state health department said it would not renew its contract with Insight Global and that none of the state's IT assets or systems were affected by the breach. It shut down the links the day after the WPXI investigator alerted it about the breach.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Whitepapers

Featured Webinars