Pa. COVID Contact-Tracing Data Breach Exposes Thousands

By Hailey Konnath
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Compliance newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (April 29, 2021, 9:08 PM EDT) -- Thousands of Pennsylvanians' personal information may have been exposed in a data breach at Insight Global, which was contracted to provide COVID-19 contact-tracing services for the Keystone State's health department, the company confirmed Thursday.

Government contractor Insight Global confirmed Thursday that thousands of Pennsylvanians may have been affected by a "security vulnerability" related to its COVID-19 contract-tracing services. (AP Photo/Rick Bowmer)

The Pennsylvania Department of Health announced its nearly $23 million federally funded contract with Insight Global last summer, according to the agency. Specifically, the staffing company was tapped to recruit, interview, hire, train and support contact tracers to help the state track down and notify individuals who may have been exposed to the virus.

But Insight Global said Thursday that some personal information collected by those employees "may have been accessible to persons beyond authorized employees and public health officials." Neither the company nor the health department is aware of misuse of the information exposed, according to a statement from Insight Global.

The company didn't disclose how many people's personal information may have been compromised, but Pittsburgh's NBC affiliate, WPXI-TV, reported Thursday that 70,000 individuals are affected.

Insight Global said the information involved included names of individuals who may have been exposed to COVID-19, if they experienced symptoms, information about the number of members in their households and their emails and telephone numbers, and information needed for social-support services. Those individuals would've been contacted between September 2020 and April 21, 2021, Global Insight said, though it added that only a portion of individuals contacted during that time were affected by the breach.

Insight Global didn't collect Social Security numbers, financial account information or payment card information, the company said.

"We deeply regret this happened and are committed to restoring the trust of any residents of Pennsylvania who may have been impacted," Insight Global said. "All necessary steps are being taken to secure any personal information, and we intend to learn and grow from this."

According to the company, Insight Global has "robust" security on its in-house platforms, but certain employees set up and used several Google accounts for sharing information as part of an "unauthorized collaboration channel." Documents pertaining to contact-tracing collection may have been vulnerable as a result, it said.

Insight Global said it learned of the "security vulnerability" on April 21. At that time, it secured and prevented any further access to or disclosure of information, it said.

The company worked closely with Pennsylvania's health department to identify the individuals affected, it said. A dedicated call center will be launched Friday afternoon to answer questions from the public about the incident, according to the statement.

Pennsylvania's health department didn't immediately return a request for comment late Thursday. However, department spokesperson Barry Ciccocioppo told the Associated Press that Insight Global "disregarded security protocols established in the contract" with the state.

"We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals," he said.

According to a July 2020 statement from the health department, Insight Global was selected for its "ability to operationalize a large-scale, well-resourced program quickly and efficiently while incorporating diversity and equity in hiring practices, engagement and training of the workforce." The contract was to add 1,000 additional contact-tracing staff to the 654 contact tracers the state had at the time, the agency said.

Also this week, Google LLC was hit with a suit over its contract-tracing tool, which consumers claim is exposing unwitting Android users' sensitive personal information to dozens of third parties due to an alleged "security flaw" that enables diagnoses to be linked to specific individuals.

The Google-Apple Exposure Notification System, which the companies rolled out last May, is designed to assist governments across the globe with tracking the spread of COVID-19 through smartphone apps that alert users who come in close contact with someone who tested positive for the novel coronavirus.

However, while the companies have assured those who choose to use the tool that their personal data will be safeguarded and their identities would remain anonymous, Google has failed to live up to this pledge by allowing sensitive contact-tracing data to be placed on Android devices' system logs, therefore allowing "dozens or even hundreds of third parties" to access this data and tie it to specific individuals, according to Wednesday's complaint.

--Additional reporting by Allison Grande and Ben Kochman. Editing by Breda Lund.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!