HARRISBURG — Pennsylvania lawmakers called for an investigation on Monday into the data breach that compromised the personal information of more than 70,000 residents who participated in the state’s contact tracing efforts.
A news report from Target 11 published last week said a whistleblower from the Atlanta-based Insight Global alerted the outlet to the security breach after concerns about the company’s data collection processes went ignored.
The state Department of Health awarded Insight Global a no-bid $23 million contract for its contact tracing services in spring 2020. The agreement, set to expire in July, will not be renewed, according to Rep. Jason Ortitay, R-Bridgeville.
“July is too long to wait and a poor use of taxpayer dollars for what appears to be a breach of contract,” he said a Monday’s news conference calling for state and federal probes of the situation. “The public trust is gone.”
A former employee told Target 11 that contact tracers collected personal identifying information about residents in unsecured Google spreadsheets. Target 11’s investigators viewed the sensitive data by clicking a link, according to the report.
In a statement posted to its website, Insight Global claimed it uses “robust security” on its in-house platforms, but said some employees created an “unauthorized collaboration channel” for sharing information that included names, addresses, household members, emails and phone numbers.
“We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted,” the company said. “All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this.”
The company established a hotline for residents concerned about their personal information and is offering free credit monitoring services through TransUnion to affected individuals. The breach includes data collected between September 2020 and April 21, 2021, according to the statement.
“We have worked closely with the Pennsylvania Department of Health to identify any individuals whose information may have been affected,” the statement concludes. “Individuals whose information may have been affected will also be notified by mail once address information is identified.”
Ortitay said he first learned of the issue when a reporter asked for comment April 1. He took the information to Gov. Tom Wolf’s administration, but said staff were alerted to the same breach “months ago” and determined it to be untrue.
About three weeks later, the Department of Health confirmed to a reporter that the breach occurred, but provided no further information, Ortitay said. He questioned why the department had denied the existence of the breach to him last month and wondered how many more residents’ information was compromised as a result of the administration’s inaction.
“Also, why isn’t the department immediately terminating the contract of this company? Who is going to trust them moving forward?,” he said. “We need a full investigation.”
House Majority Leader Kerry Benninghoff, R-Bellefonte, and Majority Whip Donna Oberlander, R-Clarion, joined Ortitay at Monday’s news conference to blast the Wolf administration for dodging initial questions about the incident.
“I’m very disappointed that the people of this commonwealth have been let down again and their personal information exposed to the world,” Oberlander said. “But, I’m not surprised.”
She pointed to security breaches with the state’s unemployment compensation system. The Department of Labor & Industry said last month 84% of the nearly 1 million claimants that applied for pandemic-related jobless benefits between October and March were deemed fraudulent. In total, the state has recouped $800 million in stolen benefits since May 2020.
“We have seen a distributing pattern of a lack of transparency and openness from an administration that claims to be the most transparent ever,” Oberlander said.
Benninghoff said its just another failure of the governor’s broad emergency powers awarded to him under the 90-day disaster declaration that he’s since extended four times. Voters will decide in the May 18 primary election whether the legislature should have the authority to limit those declarations to 21 days.
“This contract was issued under sole-sourcing no-bid contract authority of the governor’s emergency disaster declaration,” he said. “That means that the Wolf administration did not need to seek other bids, did not have seek better security maintenance, and did not have additional scrutiny over the issuance of this contract.”
The Department of Health reiterated much of Insight Global’s statement and confirmed it will not renew their contract when it expires on July 31.
“The Department of Health takes the safety and security of individuals’ personal information extremely seriously,” said Barry Ciccocioppo, a department spokesperson. “We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.”
He said the department took “swift action” and engaged “third party IT specialists” to secure the data and begin a forensic audit to identify all impacted residents.