Employees of contact tracing data company share concerning emails after security breach affects Pennsylvanians

PITTSBURGH — Explosive revelations continue following the exclusive Target 11 investigation into a breach of contact-tracing data affecting 72,000 Pennsylvanians.

The investigation has led to serious fallout, including the state not renewing the contract with Insight Global, the company hired to do the contact tracing.

Former employees of the company that got a $23 million contract to do contract tracing in Pennsylvania say it collected personal health information in free Google documents and failed to adequately protect or secure the sensitive information.

Emails obtained by Target 11 suggest employees of Insight Global had expressed concern about data security last fall.

“Using a spreadsheet is pretty old school. Can lead to lost information due to how many hands are in the file. Also this would probably be a huge HIPAA breach, and mishandling sensitive PHI. Especially considering we are using the free version of Google sheets, with employees personal email accounts, this is allowing PHI to be in a very vulnerable location. This is not safe or secure, and is abuse of PHI.”

—  Internal email submitted to Target 11

Target 11 broke the story Thursday that personal health information collected from more than 70,000 contacts across the state had been exposed, as our investigators were able to view the information by clicking on links with no login or password needed.

“I’m very angry that I have this information just out there. It’s not encrypted. I’m also very disturbed because who else has access to this information?” said Zari Price, a victim of the data breach from Washington.

On Thursday, the Pennsylvania Health Department said some Insight Global employees disregarded security protocols and created unauthorized documents.

One former employee responded to that, telling Target 11 they did what they were told: “The tracers are not to blame. They were required to record the responses in Google Sheets.” Another email indicated that the company had systems to protect the data, but they weren’t used.

“We are afraid to learn the way to use it, and are falling back on old school methods that are extremely time-consuming, unsecure, prone to error and frankly illegal.”

—  Internal email submitted to Target 11

Insight Global hasn’t said how it happened, but did issue a statement indicating that an investigation is underway by a third-party IT security specialist.

“If it’s true, shame on the company and shame on the Department of Health for not vetting them thoroughly enough, when they gave them this contract. It’s absolutely ridiculous,” said state Rep. Jason Ortitay (R) of Bridgeville.

Insight Global started a toll-free hotline Friday to answer questions about the breach, and they are also offering free credit monitoring as well as identity protection services.

Several state lawmakers have already planned a news conference for Monday in Harrisburg.