Insight Global’s Contact Tracing Efforts Result in Leak of 72,000 PA Residents’ Personal Details
The State of Pennsylvania as well as its contractor, Insight Global, is facing a potential class-action suit due to a data breach that compromised the personal health information (PHI) of 72,000 Pennsylvania residents. The suit alleges that both the governor as well as Insight Global knew of the breach months prior, but determined it to be invalid when concerns were raised in early April. Due to the delay in the notice, those affected by this breach went months without taking the necessary steps to protect themselves. Pennsylvania state legislators have called for an investigation into the matter.
What is Contact Tracing?
A term in the public health sector, contact tracing is used to contain a disease or infection. It is a system put in place to identify infected persons and those that may have been in contact with them. It is viewed as a necessary part of responding to health crises, such as the COVID-19 pandemic.
Insight Global was contracted by the state of Pennsylvania to conduct contact tracing for the COVID-19 virus. However, an unauthorized collaboration channel used by Insight Global’s employees resulted in the mass breach. Google accounts were created without authorization to share information and collaborate. This created a vulnerability in Insight Global’s system which allowed attackers to access their files. In a breach notice issued late last month, the company claimed that the breach was discovered on April 21st and dealt with by April 23rd. This does not limit the leak to that week, as other reports show that the leak had been an issue starting in September 2020.
What Information Has Been Compromised?
The information leaked includes:
- Names of individuals who may have been exposed to COVID-19
- Whether individuals tested positive or negative for the virus
- Whether individuals experienced any symptoms
- The number of household members
- Email addresses
- Phone numbers
Insight Global states that no social security numbers, payment method details, or financial institution information was collected, thus not leaked through their system.
Severe Privacy Violations
The Health Insurance Portability and Accountability Act (HIPAA) is a compliance measure in place to prevent companies from recklessly handling the personal health information (PHI) of individuals. A main pillar of HIPAA compliance is security, and companies handling PHI are accountable for protecting and securing their clients, patients, or customers. Companies and practices must have in-house HIPAA training annually to ensure that employees know how to handle and dispose of PHI. It has come to light that Insight Global’s security measures were close to nil.
Unsecured spreadsheets and databases have made PHI available to the public through simple online searches, and the 72,000 individuals who have been exposed are now at a heightened risk for identity theft among other cybercrimes. With the world already facing substantial spikes in identity theft, Insight Global has made easy work of making private information accessible to cybercriminals.