HARRISBURG, Pa. — Target 11 recently obtained an email sent to the Pennsylvania Department of Health nearly two months ago that’s raising new questions about who knew what, and when, about a COVID-19 contact tracing data breach.
In the email dated Feb. 25, a former Insight Global employee raised concerns about data security.
“My issue was concerning non-compliant behavior of the program with HIPPA and PII-related data. Since IG made no attempt to correct my concerns (I found multiple issues and several exposures), I was unsure of what to do with the knowledge I had about their lack of security,” the email said. “Would you be able to guide me further? I simply want to share what I know with the correct department and my hope is that data will be better protected moving forward.”
A legal assistant for the Pennsylvania Department of Health’s Office of Legal Counsel responded that same day with: “I forwarded your inquiry to our legal management team.”
The former employee told Target 11 that they never heard anything more from the health department.
Target 11 reached out to the department for a response. It stated that they are working on it and will get back to Channel 11.
A handful of state representatives gathered in Harrisburg on Monday and demanded answers after the Target 11 investigation that exposed the data breach last week.
Target 11 reported the data breach after being able to easily access the personal and health information of more than 70,000 people who had been contacted by contact tracers.
Pennsylvania Gov. Tom Wolf’s office released the following statement about the breach:
“When the administration responded to the representative, the Department of Health did not have the information that it announced last week. The administration accurately provided the information conveyed by the Department of Health as of that date. The Department of Health did not become aware of the additional issues until April 19 and it was not until April 20 that the Department of Health was in a position to announce the result of its review. The representative was afforded a legislative briefing before the department’s announcement, which was the earliest time that the department was in position to discuss its review.”
The Department of Health blamed employees of Insight Global, the private company that received a $23 million no-bid contract to do contact tracing, saying they ignored security protocols.
State representatives called for the immediate termination of the contract, an independent state or federal investigation, and a state House Oversight Committee investigation. They said they are also working on legislation that would put more checks and balances in place for no-bid contracts.
“Someone needs to be held accountable for this egregious breach of trust, and to those people whose information was compromised, you deserve better,” said State Rep. Donna Oberlander. “I’m very disappointed that the residents of this state have been let down yet again and that their personal information has been exposed to the world.”
State Rep. Jason Ortitay said it is important that we learn what happened here so that it can be fixed and addressed so that people can feel confident that their personal confidential information is secure.
The state said last week that it would not renew the contract when it’s up in July, but Ortitay said that’s too late.
“The public trust in Insight Global is gone, and as long as the company continues to do contact tracing for our state, who is going to give them any information?” Ortitay asked.
Ortitay is now raising other questions about the contact tracing contract.
“Are there other issues that we aren’t yet aware of with this vendor? How do we know the information they’ve been giving to the state has been accurate? Do the numbers match the reports? Has the state been verifying their information or simply accepting it without further inquiry?” Ortitay asked.
Ortitay reached out to the state health department the same day Channel 11 showed him what was discovered. He asked the health department if they had implemented new software. He did not tell them about a potential data breach because he was first trying to confirm the information Channel 11 showed him was accurate. Ortitay said the health department told him they would get back to him.
When he didn’t hear back from the health department, he reached out to Wolf’s office on April 7 and alerted them about the possible data breach. On April 13, Wolf’s office told Ortitay that they had looked into this allegation several months ago and there was nothing to it.
A week later, Target 11 reached out to both Wolf’s office and the state health department and showed them the links to the spreadsheets containing the personal and health information. The state health department then confirmed to Target 11 that there had indeed been a data breach.
The Pennsylvania Attorney General’s Office responded by saying: “These allegations about a contractor failing to safeguard people’s personal data are concerning. Our office is aware of these allegations and cannot comment further at this time.”