Lawsuit Filed Over Contact Tracing Data Breach

A federal lawsuit has been filed against Pennsylvania and a vendor contracted by the state's Department of Health (DOH) over a data breach that exposed the personal health information (PHI) of thousands of Pennsylvanians.

The DOH hired Atlanta-based company Insight Global in 2020 "to provide contact tracing and other similar services" following the outbreak of COVID-19. The Department later said that employees of the company caused a data breach by creating "unauthorized documents outside of the secure data systems created by the Commonwealth."

Information exposed in the data breach included names, phone numbers, and medical information belonging to 72,000 individuals.

The data breach was first reported by WPXI TV show Target 11 on April 30 after the show's team learned of the incident via a whistleblower. The show's investigator Rick Earle today reported that a lawsuit has been filed over the breach.

Insight Global and the Pennsylvania Department of Health are named as defendants in the suit, which claims that data breach victims now face an increased risk of identity theft.

The plaintiffs allege that the data breach was a “direct result of Defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols."

In the suit, Insight Global is accused of maintaining “unsecure spreadsheets, databases and or documents containing the PHI (public health information).”

In a statement by the company sent to Earle, Insight Global claimed to be unaware of any litigation regarding the data breach.

“Insight Global has not been served with the lawsuit and will need time to analyze any allegations, but can say that we are working closely with the Pennsylvania Department of Health to identify any individuals whose information may have been affected and have taken steps to secure and prevent any further access to, or disclosure of, information," stated the company.

The DOH has stated that it will not be renewing its contract with Insight Global after it expires on July 31. State representatives meeting in Harrisburg on Monday reportedly called for the contract to be terminated immediately and for an investigation into the breach to be launched by a state House Oversight Committee.

What’s Hot on Infosecurity Magazine?