April 29, 2021
A data breach reported by the Pennsylvania Department of Health on Thursday may have leaked the information of thousands of residents involved in the state's COVID-19 contact tracing program, which launched last year.
The leak potentially compromised the data of approximately 72,000 Pennsylvanians. It likely occurred through a third-party vendor hired to help with contact tracing called Insight Global.
The firm is an Atlanta-based employment agency hired to bring on 250 contact tracers in 35 days, as well as new employees every two weeks to keep up with the pandemic.
A few particular employees of Insight Global may be responsible for the breach, during which they "disregarded security protocols," officials said.
The employees allegedly created copies of residents' personal information and then sent the data to sources outside of the contact tracing system.
"We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals," Barry Ciccocioppo the communications director for the Department of Health, told Patch.
Personal information like ages, genders, sexual orientations, phone numbers, email addresses, as well as COVID diagnoses may have been leaked during the breach.
Fortunately, none of the information was found to be tied to financial records or social security numbers, the health department said. The state's computer system was not involved in the breach, Ciccocioppo told the Inquirer.
The incident was first reported by WXPI. The Pittsburgh-based television station said Thursday morning that multiple investigations by the state health department are now under way.
Following their report, the health department also said they would not be renewing their contract with Insight Global, which expires on July 31.
The news outlet also published a statement from the DOH which said all impacted individuals would be contacted by Insight Global. Additional routes for responding to the data breach, such as a hotline, will also be available.
"The Department is requiring Insight Global to notify all impacted individuals. Additionally, a toll-free hotline — 1-855-535-1787 — will open on Friday, April 30, for anyone concerned that their information might have been subject to this security incident. The hotline will be staffed Monday through Friday, from 9 a.m. to 9 p.m. While no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident," wrote the health department.