Law360 (May 6, 2021, 5:22 PM EDT) -- The Commonwealth of Pennsylvania and a government contractor have been slapped with a proposed class action a week after confirming that personal information of thousands of residents may have been exposed as part of a breach of the state's COVID-19 contact tracing database.
Westmoreland County resident Lisa Chapman said in a Wednesday complaint filed in federal court that staffing firm Insight Global Inc. and the state's Department of Health had failed to incorporate adequate data protection measures into its database to ensure that the personal information of Pennsylvania residents was safe from hackers.
"Defendants have acknowledged the sensitive and confidential nature of the information here at issue," Chapman said in her complaint. "Despite these acknowledgements and averments that all [private health information] obtained in connection with COVID-19 contact tracing would be kept private and confidential, defendants failed to take appropriate or even the most basic steps to protect the PHI of plaintiff and other class members from being disclosed."
According to the complaint, the state's Department of Health inked a $23 million contract with Insight Global last year to recruit, interview, hire, train and support contact tracers to help the state track down and notify Pennsylvania residents who may have been exposed to the virus.
But Insight Global announced last week that some personal information collected by those employees "may have been accessible to persons beyond authorized employees and public health officials."
Neither the company nor the health department is aware of misuse of the information exposed, according to a statement from Insight Global last week.
According to the complaint, personal health information obtained from residents through the contact tracing system was stored in unsecured spreadsheets and other databases that were accessible simply through a Google search with no password protection or other authentication.
The complaint said that Insight Global was aware as early as November that its employees were using unsecured databases.
The complaint said that a former Insight Global employee emailed state Department of Health officials as early as February but that neither the department nor the company took any action to notify individuals named in the database until the end of last month.
Chapman's complaint levels counts of negligence and alleges violations of the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act.
Jonathan Shub, an attorney with Shub Law Firm LLC representing Chapman, said his client was eager to press the case.
"Plaintiff looks forward to representing herself and the Commonwealth residents who were victimized by the unlawful release of their sensitive health information," he said in an email. "Plaintiff believes that the data breach was a result of a failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect their health information."
Representatives for the defendants did not immediately respond to requests for comment.
The plaintiffs are represented by Jonathan Shub and Kevin Laukaitis of Shub Law Firm LLC, Scott Cooper of Schmidt Kramer PC, James Haggerty of Haggerty Goldberg Schleifer & Kupersmith PC, John Goodrich and Lauren Nichols of Jack Goodrich & Associates PC and Philip DiLucente and Kenneth Nolan of Phil DiLucente & Associates LLC.
Counsel information for the defendants was not immediately available.
The case is Chapman v. Commonwealth of Pennsylvania Department of Health et al., case number 1:21-cv-00824, in the U.S. District Court for the Middle District of Pennsylvania.
--Additional reporting by Hailey Konnath. Editing by Daniel King.
For a reprint of this article, please contact email@example.com.