Spotlight PA is an independent, nonpartisan newsroom powered by The Philadelphia Inquirer in partnership with PennLive/The Patriot-News, TribLIVE/Pittsburgh Tribune-Review, and WITF Public Media. Sign up for our free newsletters.
HARRISBURG — The company responsible for administering Pennsylvania’s contact tracing program has called on current and former employees to help it locate and secure documents online that might still contain the personal information of those who were contacted.
In an email sent Friday to current and former employees, a copy of which was obtained by Spotlight PA, a lawyer for Insight Global asked them to contact the company’s information security team if they had any paper or electronic records, internet links and files, or Google Drive documents related to the program.
“As part of the effort to preserve all relevant materials, IG is working to ensure that any documents in the possession of individuals who worked on the contact tracing assignment for the Commonwealth of Pennsylvania are properly secure,” the letter read.
Employees will be assisted with securing or returning any physical documents, “as well as confirming that any internet links or electronic files have the proper security controls in place to ensure that they are not accessible by any third parties.”
The letter stated that Insight Global’s goal is to “limit any further disclosure of sensitive information of persons contacted as part of these contact tracing efforts.”
The request came two days after Spotlight PA revealed that one Google document identifying 66 people — many of them minors, according to the birthdays listed — was still accessible to anyone with a link more than a month after the company said all data had been secured.
One former employee, who shared the letter, said this was the first such request they had received from Insight Global since it was disclosed in April that personal information related to tens of thousands of people in Pennsylvania had been kept insecurely online and compromised.
In a statement, Insight Global — which was awarded a $23 million contract by the state Department of Health in July 2020 — declined to answer questions about how many documents or links were still active, or how many were shut down since Friday.
“While we are unaware at this time of the misuse of the information involved, we continue to offer free credit monitoring and identity protection services to those who may have been impacted,” the statement read.
House Majority Leader Kerry Benninghoff (R., Centre) on Thursday urged Attorney General Josh Shapiro to take “swift legal action” against Insight Global as his office pursues an investigation into the security lapse.
“For Pennsylvanians who have been victimized, particularly minors who may have to deal with this issue for the rest of their lives, merely providing basic credit monitoring services as has been offered by Insight Global is flat-out unsatisfactory,” the letter read.
A spokesperson for the attorney general’s office referred Spotlight PA to a May 12 statement from Shapiro, issued in response to initial reports of the Insight Global data breach, calling it a “serious matter.”
The company’s security weaknesses were first reported by Pittsburgh NBC affiliate WPXI in late April. At the time, both Insight Global and state officials acknowledged that the personal information of as many as 72,000 people had been stored insecurely in Google documents accessible to anyone with a link.
The company on April 29 said it became aware on April 21 that the data was compromised and “immediately took steps, completed by April 23, 2021, to secure and prevent any further access to or disclosure of information.”
But Spotlight PA reported June 9 that at least one document was still live and accessible online to anyone with the link, and contained the names of people who were potentially infected with the coronavirus, along with their dates of birth, phone numbers, counties of residence, and notes related to their test status or other personal information.
The document, which has since been shut down, was stored in a former employee’s personal Google account, raising questions about whether Insight Global or the state were aware of all potential documents online containing personal information.
Even as Insight Global works to lock those links and documents, it is not yet clear how many might still exist, let alone whether that information has been downloaded or distributed.
While contact tracing data does not include financial information, details like birthdays, family names, or places of residence could be used in phishing scams or for identity authentication.
A federal lawsuit seeking class-action status filed May 5 by an Allegheny County resident alleges the company was aware of security weaknesses as early as November, and that the state was aware as early as February. The lawsuit is scheduled to move forward next month.
The state health department did not respond to questions about whether it is monitoring Insight Global’s progress, though the company’s contract will terminate by the end of this month.
Case investigations will be handled by 140 health department community health nurses, and 50 National Guard members will assist with contact tracing efforts through mid-July.
This story has been updated with a letter from House Majority Leader Kerry Benninghoff.
WHILE YOU’RE HERE… If you learned something from this story, pay it forward and become a member of Spotlight PA so someone else can in the future at spotlightpa.org/donate. Spotlight PA is funded by foundations and readers like you who are committed to accountability journalism that gets results.