Investigates

Unsecured Pennsylvania COVID-19 contact tracing data exposed by whistleblower to Target 11

PITTSBURGH — A major Target 11 investigation impacts about 70,000 people across Pennsylvania.

Investigator Rick Earle discovered that health and other personal information of tens of thousands of Pennsylvanians that was collected during contact tracing has been compromised.

Multiple investigations are now underway by the Pennsylvania Health Department and the company hired to collect the information and data.

Those investigations began after Earle was able to view personal information and informed the state health department what he had discovered.

People from Pittsburgh-region directly impacted

“The tracer was able to reach you? There’s your number. Is that your cell?” Earle asked.

“Yes,” replied Lisa Chapman, of New Kensington, after we showed her the entry on the spreadsheet next to her name.

We tracked down another woman who was on the list.

“Is that you? They spoke to you?” Earle asked.

“Yep,” said Zari Price of Washington, Pennsylvania.

“Contact currently reporting quarantine for 28 days as it’s a household exposure,” Earle read.

“We were under the impression that this was the health department, and no one’s going to see this but the health department. I’m shocked,” said Chapman.

“I’m very angry that I have, like ... this information is just out there. I’m also very disturbed, because who else has access to this information?” said Price.

How it happened

Insight Global, a staffing company based in Atlanta, Georgia, received a $23 million contract to hire 1,000 contact tracers in an effort to control the spread of COVID-19.

But some former employees tell Target 11 that the company failed to secure the information they collected from contacts. And the former workers say they told supervisors but nothing was done to protect the information.

Target 11 received links to spreadsheets containing names, along with health and personal information collected from contacts between September 2020 and March 2021.

Earle was easily able to click on the links and they revealed the information without using a login or password.

We are not releasing any of the names, but here’s some of the personal information contained on the spreadsheets.

“His wife was positive. She should have been in isolation. It sounds like neither are following protocol.”

“Four children in home … in full emotional support and ADHD diagnosis.”

“She’s on psych meds for depression. She says she is suicidal.”

Target 11 works to get answers

Earle took his findings to state Rep. Jason Ortitay, of Bridgeville.

“I’m looking through it. I can’t believe the level of detail in here. I think it’s absolutely ridiculous. Just to start, and as my first thought sitting there thinking, one: how can we let any of this happen? I mean, we’re supposed to be, you know, good stewards of our constituents’ information, especially from the state government level. People trust us with this stuff,” said Ortitay.

Earle also reached out to the Pennsylvania Health Department and told them what we had discovered.

“The Department of Health takes the safety and security of personal information extremely serious. We appreciate you bringing this to our attention, and as soon as you did, our first priority was to isolate and protect the information that was out there that you alerted us to,” said health department spokesman Barry Ciccocioppo.

The links containing the personal information were shut down the day after Earle reached out to the state health department.

“We have some information from a whistleblower indicating that the company you contracted with did not take the proper precautions to secure this data,” Earle told the spokesman from the state health department.

“Well, in fact, it appears that the documents that were shared with WPXI were created outside, entirely outside of the commonwealth’s normal secure data handling process,” said Ciccocioppo.

Company’s response to Target 11

Insight Global released the following statement to Target 11:

“We regret that information collected by our employees during COVID-19 contact tracing may have been made accessible to persons beyond authorized employees and public health officials. Our first priority has been to secure and prevent any further access to or disclosure of information. While an active investigation is underway by leading third-party IT security specialists, we also have a team working to determine what information is or remains at risk. At this time, we believe information consisted of names of individuals who may have been exposed to COVID-19 and a range of information designed to help manage the spread of the virus, and identify and address any needs for specific social support services. We understand the concerns the potential access to such information may raise, and we are urgently and closely working with the Pennsylvania Department of Public Health to notify individuals whose information may have been affected.”

Status of contract/Help available

After the news broke and Target 11 contacted the Department of Health, officials said they were not renewing their contract with Insight Global. They said company employees “created unauthorized documents outside of the secure data systems” and that it was “extremely dismayed” at what happened. Here’s a statement from the department:

“The Department of Health recently became aware that certain employees of Insight Global — a vendor contracted by DOH in 2020 to provide contact tracing and other similar services — disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the Commonwealth. These documents existed separately from the official data that Insight Global employees were collecting and providing to DOH within secure data platforms. No Commonwealth IT assets or systems, including the COVID Alert PA app, were involved or compromised.

“The Department of Health takes the safety and security of individuals’ personal information extremely seriously. We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals. Immediately after becoming aware, the Department took swift action demanding Insight Global properly secure the documents. Insight Global engaged third-party IT specialists and immediately began a forensic investigation to identify all individuals who might be impacted.

“While the forensic investigation is ongoing, the documents did not contain financial account information, addresses, or social security numbers. We do know that some of the documents contained a minimum of 72,000 individuals’ names and some of the names are associated with additional information such as phone numbers and email addresses along with personal information such as gender, age, sexual orientation, and COVID diagnosis and exposure status.

“As a result of this incident, the Department of Health has informed Insight Global that it will not renew the contract when it expires July 31, 2021. The department is evaluating how to appropriately onboard resources to meet the public health needs of Pennsylvanians.

“The Department is requiring Insight Global to notify all impacted individuals. Additionally, a toll-free hotline — 1-855-535-1787 — will open on Friday, April 30, for anyone concerned that their information might have been subject to this security incident. The hotline will be staffed Monday through Friday, from 9:00 a.m. to 9:00 p.m. While no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident.”

Cybersecurity expert talks about compromised data

“My initial evaluation showed that all of the links that you provided were online and accessible to the public without being able to or having to log in, and presenting any kind of authentication to a widely available to the public,” said Todd Hillis, who also discovered some of the same documents by doing a Google search.

“They are accessible and discoverable by a fairly crafty Google search,” said Hillis.

While the initial contract with Insight Global was for $23 million, Target 11 has learned from documents obtained through the State Treasurer that the company has now been paid $29 million since last September.

And those are all tax dollars.

“It’s very disturbing that none of this is protected and they got so much money to do this contact tracing. And, like I said, taxpayer dollars. It’s our dollars going to this and it’s not protected,” said Price.

Ortitay is calling for a federal investigation and a state house hearing.

“We need to launch an immediate investigation from the state, and I think we need to involve the feds in this, too. They definitely need to be involved in any kind of investigation. We should call them in. We should call the Department of Health in for a hearing immediately, have them explain what’s going on. The contractor should be in there, and I want to know what they’re doing and what they did wrong,” said Ortitay.