Pennsylvania firing vendor that mishandled virus data

A close-up of the Moderna COVID-19 vaccine.

A close-up of the Moderna COVID-19 vaccine. (Office of Gov. Tom Wolf)

Pennsylvania is firing a company that performed COVID-19 contact tracing and exposed the private medical information of tens of thousands of residents, state officials said Thursday.

Employees of Insight Global used unauthorized Google accounts — readily viewable online — to store names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations and other information about residents who had been reached for contact tracing. The company’s contract with the state required it safeguard people’s data.

The Department of Health said last month that at least 72,000 people were impacted. The state had planned to drop Insight Global once its contract expires at the end of the July, but the Health Department said Thursday it will terminate the contract early, on June 19.

The department said in a message to House Republicans that it was taking action “after more fully evaluating the circumstances” of the security lapse.

Insight Global is required to notify impacted people, and the Health Department told the GOP those notifications would begin next week. The department said the state’s contact tracing operation would continue with a new vendor.

“We are working to make sure that there is not a break in continuity in our contact tracing services as we transition out of the Insight Global contract and into our next contract” Acting Health Secretary Alison Beam said at a news briefing Thursday.

State Rep. Jason Ortitay, R-Allegheny, who has accused the Wolf administration of being slow to act on the breach, said in a statement Thursday that he is pleased the state is severing ties with the Atlanta-based company, but said he is still seeking answers about the incident.

“This deserves a full investigation so we can learn what happened and how to prevent it from happening again moving forward,” he said.

The state has paid Insight Global tens of millions of dollars since last summer to administer the state’s contact tracing program. Contact tracers identify people who have been exposed to the coronavirus so they can quarantine.

Insight Global has acknowledged it mishandled sensitive data and apologized. The company has said it became aware on April 21 that employees had set up the unauthorized Google accounts for sharing information. Insight Global said it took steps to secure the information and that it was unaware of “the misuse of the information involved.”

Get daily updates from WHYY News!

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal