PA Lawmakers Demand Investigation Of Contact Tracing Data Breach

PENNSYLVANIA — Republicans in the Pennsylvania legislature are calling for an investigation into a massive data breach that may have exposed personal health care information of at least 72,000 residents, alleging that the state was made aware of issues months ago but dismissed the concerns as false.

State Rep. Jason Ortitay said that he became aware of an issue April 1 and contacted Gov. Tom Wolf's office at the time. He said he was told that the issue was raised months previous and that there was no validity to it.

Patch reached out to the governor's office for a response on these claims. A spokesperson said they would return the inquiry but hadn't as of Wednesday afternoon.

"Why didn’t the department or the governor’s office take action when they were notified months earlier and again by me in early April?” Ortitay said. “How many more people had their information compromised because the governor’s administration failed to act immediately?"

The state contracted with an Atlanta-based firm, Insight Global, to assist in contact tracing during the height of the pandemic in 2020. The Department of Health told Patch that this company disregarded established security protocols by creating unauthorized copies of documents containing sensitive personal health care information. These copies were outside of the secure servers set up by the state.

The documents exposed contained personal and health care information such as phone numbers, email addresses, ages, genders, sexual orientations and COVID-19 diagnoses. Credit card, Social Security and home address information was not compromised, the state said.

Insight Global said it has hired IT security experts to look at how the breach occurred. It said there's no evidence thus far that exposed information has been maliciously used. The security issue appears to be in the way in which certain employees communicated sensitive personal information between each other.

"Although Insight Global has robust security on its in-house platforms, as part of an unauthorized collaboration channel, certain employees set up and used several Google accounts for sharing information," the company said in an emailed statement.

It's not yet clear if the issues allegedly raised months ago were due to this same security flaw.

But Republicans say that the state should be held accountable for how it has responded. Ortitay noted concern that the contract with Insight Global, which was awarded without a bidding process, was not immediately terminated. The state said it plans not to renew the contract when it expires in July.

Lawmakers are calling for the state attorney general’s office, the House Government Oversight Committee and federal law enforcement agencies to look into the incident

House Majority Whip Donna Oberlander said that the state's handling of the situation is the latest example of why greater oversight of the governor's office is needed from the General Assembly, pointing to oft-cited Republican frustrations with Wolf over vaccine rollout, the economic shutdown, and other aspects of the pandemic response.

“Sadly, we have seen a disturbing pattern of lack of openness and transparency from the administration that has claimed it is the most transparent ever,” she said.

The issue of the governor's emergency powers has taken center stage in recent months and will be addressed via ballot questions in the upcoming Pennsylvania primary election May 18.

Anyone concerned they may have had their data compromised can call a hotline, 855-535-1787, from 9 a.m. to 9 p.m. weekdays. Additionally, Insight Global is offering free credit monitoring and identity protection services through TransUnion for anyone impacted.