Class action lawsuit over alleged breach of confidential PA COVID-19 contact tracing data
The Pennsylvania State Senate communications and technology committee will hold a public hearing on the allegations on Tuesday.
The Pennsylvania State Senate communications and technology committee will hold a public hearing on the allegations on Tuesday.
The Pennsylvania State Senate communications and technology committee will hold a public hearing on the allegations on Tuesday.
A federal class-action lawsuit alleges negligence by Pennsylvania's Health Department and a COVID-19 contact-tracing contractor, "Insight Global," in the leaking of personal health information gathered for the state.
"What has been reported to date has just been dumbfounding, that folks would have their private health information breached," Phil Dilucente, one of the attorneys filing the lawsuit said Friday. "I think we would all agree that there's nothing more personal than a person's private health information."
The suit says private health information of thousands of people leaked onto the Internet in a data breach traced to security failures by the contractor's contact tracing employees who did not follow correct safety practices.
"Instead they were using totally unsecured Google spreadsheets that we understand were available with a crafty Google search to anybody who decided to make that search. That means anyone with a nefarious purpose could have Googled this information and come across it on the Internet fairly easily," said Lauren Nichols, another attorney filing lawsuit.
Jack Goodrich, another attorney filing the lawsuit said, "This is people's personal information. It should not be out there. The representations that were made to people was that this was going to be protected, this was going to be private, nobody was going to know about it."
The lawsuit alleges Insight Global employees maintained unsecured spreadsheets, databases and documents for tens of thousands of people that were available to the public through a Google search and with no login or password needed for access.
The suit claims both Insight Global and the Health Department knew about the problem long before the people affected did. It claims the contractor knew as early as November its employees weren't using secure data storage or communications and that the state was notified by February 2021.
The Health Department says it has not been served with the lawsuit and generally doesn't comment on litigation.
The contractor emailed this statement to Pittsburgh's Action News 4:
"Insight Global has not been served with the lawsuit and will need time to analyze any allegations, but can say that we are working closely with the Pennsylvania Department of Health to identify any individuals whose information may have been affected and have taken steps to secure and prevent any further access to, or disclosure of, information. Although neither Insight Global nor the Commonwealth of Pennsylvania are aware at this time of the misuse of the information involved, we understand the concern that this potential access to such information may raise and we will be offering credit monitoring and identity protection services at no cost to those affected by this incident. We have established a call center (toll-free 1-855-535-1787) to help address questions about this incident."
The Pennsylvania State Senate communications and technology committee will hold a public hearing on the allegations on Tuesday.