Republican Pa. lawmakers call for investigation of unsecured contact tracing data

PHILADELPHIA (KYW Newsradio) — Republican state lawmakers are demanding an investigation as to why the personal information of tens of thousands of Pennsylvanians was stored online in an unsecured manner.

Last week, it was publicly revealed that Atlanta-based company Insight Global, which was hired by the Pennsylvania Department of Health to manage COVID-19 contact tracing, stored personal and medical information in an unsecured, online document.

The document had at least 72,000 names on it and included personal information like age, gender and sexual orientation.

When Pittsburgh-based state Rep. Jason Ortitay first heard about it, he alerted the Wolf administration.

“About a week later I got a response — well, a little less than a week later,” he said. “It had been looked into and the rumors were proven false.”

Insight Global said it learned about the unsecured information on April 21 and secured it all two days later.

The Pennsylvania Department of Health confirmed on April 29 that employees at Insight Global — a vendor it hired on a no-bid emergency contract — created the list outside of the company’s secured system.

The department said it would not renew the contract when it comes up in July, but Ortitay is asking them to end the $29 million contract now.

He and other Republican leaders in the state House are calling for an investigation.

“In addition, I am beginning the process of working on legislation that puts more protections and checks and balances in place for no-bid contracts moving forward,” he said.

Insight Global said financial information and Social Security numbers were not stored in the document, and they are unaware of any misuse of the information.

Officials with Bucks, Montgomery, Chester and Delaware counties said they have not used Insight Global for contact tracing efforts, so residents are unaffected.

The Pennsylvania Department of Health and office of Gov. Tom Wolf shared the following comment in response to the story, which we offer in full below:

Rep. Ortitay’s email to the Department of Health on April 1 did not raise any data security concerns; it simply asked questions about the vendor.

The week of April 19 was the first time the Department of Health learned about the data security incident from WPXI. DOH immediately took action.

The incident occurred because certain employees of Insight Global disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the Commonwealth. That situation has been corrected and no Commonwealth IT assets or systems, including the COVID Alert PA app, were involved or compromised in this security incident.

There are approximately 900 Insight Global staff supplementing DOH personnel (nearly the size of DOH’s entire staff complement). The Department is continually assessing the needs of citizens as it relates to the COVID-19 response.

The Department plans to transition away from Insight Global when the contract ends at the end of July and onboard resources to meet the public health needs of Pennsylvanians that are sized to where we are in the pandemic response.