State hires new contact tracing company after massive data breach

The Pennsylvania Health Department has hired a new company to conduct contact tracing efforts after the previous company suffered a massive data breach.

We first reported the data breach after Insight Global exposed the personal information of more than 72,000 people across the state, after being paid nearly $30 million to conduct contact tracing in the state.

After a Target 11 investigation in April discovered the unsecured personal and health information of tens of thousands of residents, the state terminated its contract with Insight Global.

Former and current employees of Insight Global said the company failed to take steps to protect the data, and say they told both Insight Global and the DOH about the potential cybersecurity issues months before Target 11 discovered the unsecured data.

“The week of April 20th, the Department of Health became aware that certain employees of insight Global disregarded security protocols and established unauthorized documents created outside of state systems,” acting Secretary of Health Alison Beam testified during a hearing in Harrisburg on Wednesday.

The day before, Health Department officials continued to place the blame on employees of Insight Global, saying there was nothing in the contract with the company that would have prevented the massive data breach. Beam did not address allegations by former Insight Global employees who said they alerted the company and the Health Department about the date months prior.

Senator Scott Hutchinson, (R-Oil City), said he had concerns from the beginning.

“We were really concerned long before any breaches that this information was somehow going to fall in the public realm, into nefarious hands; and lo and behold, that’s exactly what happened, unfortunately,” he said.

On Wednesday, the Health Department said they have made some changes they say will keep personal data secure.

“Through our oversight we are taking steps to earn Pennsylvania’s trust,” Beam said.

The new company, which was not named, has a proven track record of securing personal data while working for the state Department of Human Services, and all personal information gathered during contact tracing will now be stored in the secured Health Department system, Beam said.

“The infrastructure that we have, which is secure, is going to be the sole place that data is stored and maintained,” she said.

The new company is expected to be up and ready by mid-August.