Tens of thousands of Pennsylvanians health data exposed following data breach

Coronavirus tracing company is at the heart of the exposure

Locks on a screen with one open and in red

A data breach at a coronavirus contact tracing company has exposed the personal health information of tens of thousands of Pennsylvanians.

According to a report from the Pittsburgh Post-Gazette, officials at Pennsylvania’s Department of Health alleged that employees at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system.

In an email, the agency’s spokesman Barry Ciccocioppo said "we are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals."

He added that the state’s computer systems, including Pennsylvania's contact tracing app, were not implicated. The exposed information included names, phone numbers, emails, genders, ages, sexual orientations, and COVID-19 diagnoses and exposure status.

WPXI-TV in Pittsburgh first reported the data breach. Former employees of Insight Global told the TV station they told supervisors that information had been improperly secured, but the company took no action. A spokesperson for Insight told WPXI that contract tracing information "may have been made accessible to persons beyond authorized employees and public health officials."

Pennsylvania will not be renewing the company’s contract, which expires in three months. Free credit monitoring and identity protection services will be available to affected people.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Trevor J. Morgan, product manager at Comforte AG, told ITPro the situation is a cautionary tale. Whether through contractual obligation or regulatory mandate, enterprises working with sensitive data need to meet the acceptable threshold of data security.

“However, vendors can’t trust that sensitive data such as PHI will always remain protected if it travels outside protected perimeters because data is vulnerable even when resting within the security perimeters,” he said.

Morgan added that when data is on the move, it is especially prone to mishandling and compromise, which means that a more data-centric approach to security should be part of those minimum data security standards.

“Data-centric security such as tokenization and format-preserving encryption replaces sensitive data with benign representational information, so even if it falls into the wrong hands the data cannot be compromised by the wrong parties. For more and more regulatory agencies and individual enterprises, data-centric security measures are now part of minimum data security standards because of the ability to protect data even while in motion,” he added.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Cloud solution – yes or no? The answer starts with your strategy
Whitepaper

Cloud solution – yes or no? The answer starts with your strategy

29 Jul 2021
The controversial CLOUD Act
Whitepaper

The controversial CLOUD Act

29 Jul 2021
A new trust model for the 5G era
Whitepaper

A new trust model for the 5G era

24 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021