Fired Pa. contractor seeks to secure contact tracing data after learning personal info still online

A health worker holds up a cotton swab

After Spotlight PA found that Insight Global, the company handling contact tracing for the state, had not secured its data breach issues, the company called on former and current staff for help. (Elizabeth Robertson)

This story originally appeared on Spotlight PA.

The company responsible for administering Pennsylvania’s contact tracing program has called on current and former employees to help it locate and secure documents online that might still contain the personal information of those who were contacted.

In an email sent Friday to current and former employees, a copy of which was obtained by Spotlight PA, a lawyer for Insight Global asked them to contact the company’s information security team if they had any paper or electronic records, internet links and files, or Google Drive documents related to the program.

“As part of the effort to preserve all relevant materials, IG is working to ensure that any documents in the possession of individuals who worked on the contact tracing assignment for the Commonwealth of Pennsylvania are properly secure,” the letter read.

Employees will be assisted with securing or returning any physical documents, “as well as confirming that any internet links or electronic files have the proper security controls in place to ensure that they are not accessible by any third-parties.”

The letter stated that Insight Global’s goal is to “limit any further disclosure of sensitive information of persons contacted as part of these contact tracing efforts.”

The request came two days after Spotlight PA revealed that one Google document identifying 66 people — many of them minors, according to the birthdays listed — was still accessible to anyone with a link more than a month after the company said all data had been secured.

One former employee, who shared the letter, said this was the first such request they had received from Insight Global since it was disclosed in April that personal information related to tens of thousands of people in Pennsylvania had been kept insecurely online and compromised.

In a statement, Insight Global — which was awarded a $23 million contract by the state Department of Health in July 2020 — declined to answer questions about how many documents or links were still active, or how many were shut down since Friday.

“While we are unaware at this time of the misuse of the information involved, we continue to offer free credit monitoring and identity protection services to those who may have been impacted,” the statement read.

The company’s security weaknesses were first reported by Pittsburgh NBC affiliate WPXI in late April. At the time, both Insight Global and state officials acknowledged that the personal information of as many as 72,000 people had been stored insecurely in Google documents accessible to anyone with a link.

The company on April 29 said it became aware on April 21 that the data was compromised and “immediately took steps, completed by April 23, 2021, to secure and prevent any further access to or disclosure of information.”

But Spotlight PA reported June 9 that at least one document was still live and accessible online to anyone with the link, and contained the names of people who were potentially infected with the coronavirus, along with their dates of birth, phone numbers, counties of residence, and notes related to their test status or other personal information.

The document, which has since been shut down, was stored in a former employee’s personal Google account, raising questions about whether Insight Global or the state were aware of all potential documents online containing personal information.

Even as Insight Global works to lock those links and documents, it is not yet clear how many might still exist, let alone whether that information has been downloaded or distributed.

While contact tracing data does not include financial information, details like birthdays, family names, or places of residence could be used in phishing scams or for identity authentication.

A federal lawsuit seeking class-action status filed May 5 by an Allegheny County resident alleges the company was aware of security weaknesses as early as November, and that the state was aware as early as February. The lawsuit is scheduled to move forward next month.

The state health department did not respond to questions about whether it is monitoring Insight Global’s progress, though the company’s contract will terminate by the end of this month.

Case investigations will be handled by 140 health department community health nurses, and 50 National Guard members will assist with contact tracing efforts through mid-July.

Spotlight PA logoSpotlight PA is an independent, non-partisan newsroom powered by The Philadelphia Inquirer in partnership with PennLive/The Patriot-News, TribLIVE/Pittsburgh Tribune-Review, and WITF Public Media.

Get the WHYY app!

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal