Target 11 investigation into data breach leads to new state law

PITTSBURGH — An exclusive Target 11 investigation into a massive data breach last year has led to a new state law meant to protect every citizen of the Commonwealth.

Target 11 Investigator Rick Earle broke the story of that data breach last April and now because of his reporting, state lawmakers passed legislation requiring timely notification of data breaches.

The governor recently signed the legislation into law.

“We would not be here today having this conversation without the reporting of you and your team at WPXI,” said state Sen. Kristin Phillips-Hill, a Republican from York, Pennsylvania.

Target 11 first reported more than a year ago that the personal and health information of 100,000 Pennsylvanians had been compromised. The information included names, addresses and personal health information about residents, including children.

Target 11 tracked down several people in western Pennsylvania who were on the list. They were surprised that their information was in the public domain.

“I’m very angry that I have like, this information is just out there. I’m also very disturbed because who else has access to this information?” said Zari Price, whom we spoke with in Washington County.

Download the FREE WPXI News app for breaking news alerts.

The spreadsheets obtained by Target 11 included the personal information about residents across the state who had tested positive for COVID-19. They also included personal information and health data for people who had been in contact with a positive case.

The state initially told Target 11 it wasn’t a big deal, and that it had been dealt with, but when Target 11 showed them multiple spreadsheets with the information, a spokesman for the state Health Department admitted it was an issue.

Target 11 reached out to lawmakers, who were unaware of the massive data breach.

“And Rick, it was you who brought this to our attention — not the Department of Health or the Commonwealth of Pennsylvania. It was your reporting. I can only imagine how I would have felt if my child’s personal information was found online. So and then to have to hear about it through a story on TV as opposed to directly from the state. I believe it was a complete failure,” said Phillips-Hill.

Follow Channel 11 News on Facebook and Twitter. | Watch WPXI NOW

After our exclusive report, the state terminated its $30 million contract with Insight Global.

The Atlanta, Georgia-based company accused employees of failing to secure the data.

It led to legislative hearings, a class-action lawsuit against the company and a brand-new law.

That law requires state, county and municipal agencies, and public schools that experience a data breach to notify all those impacted within seven days.

It also requires notification to the Pennsylvania attorney general within three days.

“I mean this is exactly what government should be doing: working together for the common good of every resident of the Commonwealth of Pennsylvania. And look Rick, we love your reporting but a data breach in state government should result in state government notifying its victims,” said Phillips-Hill.