PA AG’s comments raising questions about status of investigation into contact tracing data breach

HARRISBURG, Pa. — The Pennsylvania Attorney General’s office told Target 11 several weeks ago that they had closed the investigation into the Insight Global data breach without taking any civil action or filing criminal charges.

But at a Pennsylvania Senate Appropriations hearing in Harrisburg, Attorney General Josh Shapiro’s comments left some wondering what’s going on with the data breach investigation and why nothing was done to address it.

“In April of 2021, I learned the potential breach with this third-party contractor not from the department, but from a reporter out in Pittsburgh,” said Sen. Kristin Phillips-Hill (R-York County), who questioned Shapiro about the status of the investigation into the data breach.

After Target 11 broke the story last year that Insight Global, the private company paid $30 million dollars to do contact tracing in Pennsylvania, had failed to secure the data of 72,000 people across Pennsylvania, the Attorney General said he was launching an investigation into the data breach.

Related >>> Pennsylvania to end contract with contact tracing vendor involved in data breach exposed by Target 11

Shapiro’s office told Target 11 several weeks ago that they closed the investigation without filing any civil action or criminal charges, but during the Senate hearing, Shapiro declined to discuss the status of the investigation, when questioned by Phillips-Hill.

“I consider this to be a serious data breach. I can’t, in this setting, get into the status of our review of it,” said Shapiro.

Phillips-Hill also asked Shapiro why he hasn’t filed a lawsuit against Insight Global, when he filed one against Uber for failing to notify drivers of a data breach in 2016 that impacted only 10,000 drivers in Pennsylvania.

The Insight Global data breach included the names and contact information of 72,000 adults and children, along with sensitive medical information of across the state.

No financial information was exposed.

“Can you share why a lawsuit has not yet been filed?” asked Phillips-Hill.

“Not in this situation,” responded Shapiro.

After the hearing, I spoke via Zoom with Phillips-Hill. She was surprised to learn that the Attorney General’s office told Target 11 that the investigation into Insight Global had already been completed and no action was taken against the company, the State Department of Health, or any other individuals associated with the breach.

“I was left with the impression today from the Attorney General, under oath, that efforts are still ongoing. Yet the information that was provided to the news media indicates that it’s been closed and no further action will be taken. So, I’m concerned about that,” said Phillips-Hill.

I reached out again to the Attorney General’s office, and a spokesperson told me they are standing by their initial statement that the case had been closed without any action, and referred back to the Department of Health, adding that the Senate Appropriations hearing wasn’t the place to discuss the investigation.

Shapiro suggested that during his comments at the hearing.

“I agree that we need to take public and private sector data breaches equally as serious. Just because I’m not going to get into specifics of an investigation in a setting like this doesn’t mean we don’t take it seriously,” said Shapiro, whose office said we needed to contact the Department of Health for an update.

A spokesman for the Department of Health tells Target 11 they are still working to resolve some legal issues with Insight Global.

Insight Global did offer free credit monitoring as a result.

A federal class-action lawsuit was filed on behalf of the 72,000 people who had their information exposed. The courts dismissed the Department of Health from the lawsuit, and Insight Global has asked the judge to dismiss the case. Both sides are now waiting for the judge to rule on the case.