IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tens of thousands of Pennsylvanians health data exposed following data breach

Coronavirus tracing company is at the heart of the exposure

Locks on a screen with one open and in red

A data breach at a coronavirus contact tracing company has exposed the personal health information of tens of thousands of Pennsylvanians.

According to a report from the Pittsburgh Post-Gazette, officials at Pennsylvania’s Department of Health alleged that employees at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system.

In an email, the agency’s spokesman Barry Ciccocioppo said "we are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals."

He added that the state’s computer systems, including Pennsylvania's contact tracing app, were not implicated. The exposed information included names, phone numbers, emails, genders, ages, sexual orientations, and COVID-19 diagnoses and exposure status.

WPXI-TV in Pittsburgh first reported the data breach. Former employees of Insight Global told the TV station they told supervisors that information had been improperly secured, but the company took no action. A spokesperson for Insight told WPXI that contract tracing information "may have been made accessible to persons beyond authorized employees and public health officials."

Pennsylvania will not be renewing the company’s contract, which expires in three months. Free credit monitoring and identity protection services will be available to affected people.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Trevor J. Morgan, product manager at Comforte AG, told ITPro the situation is a cautionary tale. Whether through contractual obligation or regulatory mandate, enterprises working with sensitive data need to meet the acceptable threshold of data security.

“However, vendors can’t trust that sensitive data such as PHI will always remain protected if it travels outside protected perimeters because data is vulnerable even when resting within the security perimeters,” he said.

Morgan added that when data is on the move, it is especially prone to mishandling and compromise, which means that a more data-centric approach to security should be part of those minimum data security standards.

“Data-centric security such as tokenization and format-preserving encryption replaces sensitive data with benign representational information, so even if it falls into the wrong hands the data cannot be compromised by the wrong parties. For more and more regulatory agencies and individual enterprises, data-centric security measures are now part of minimum data security standards because of the ability to protect data even while in motion,” he added.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Deploying flexible data protection to support cloud workload placement
Whitepaper

Deploying flexible data protection to support cloud workload placement

10 Mar 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022