Contact Tracing Data Breach Exposes 72,000 Pennsylvanians' Personal Information
HARRISBURG (KDKA) - A COVID-19 contact tracing breach in Pennsylvania may have impacted at least 72,000 people.
The number of people whose data has been compromised could grow, according to cyber security experts.
The Pennsylvania Department of Health hired Atlanta-based firm Insight Global to perform contact tracing.
They say the company had disregarded safety protocols, with some employees creating Google accounts to share data, including information gathered from contact tracing calls.
Those documents were left unprotected and that made them vulnerable to access.
"If you go through all the trouble of creating this environment where everything's protected, why did you go outside of that?" asked cybersecurity expert Zen Piotrowski with CMIT Solutions.
It is a question many are asking as well as how long the exposed information has been available.
The leaked information includes names, phone numbers, email addresses, genders, and COVID-19 diagnosis or exposure.
However, financial accounts and social security numbers were not part of those lists.
"If you had some health conditions that you didn't want people to be aware of, they're now in the open," Piotrowski said. "So that's a problem, and Insight Global could liable for exposing that information."
"The more information you have about a person for example, the more you can use it to get their identity or in some cases blackmail them or use that to your advantage to turn that into money," said cybersecurity expert Alan Crowetz.
Crowetz also believes that more people are impacted than expected.
"I hope in this case somebody is held to account for this," Piotrowski said. "The state paid them $28.7 million, and they didn't protect the data. I'm hoping there are some financial penalties as well as maybe some criminal penalties."
Insight Global as said they will notify those who may have been affected.
On Friday afternoon, the company will open a hotline for those who may be concerned their data was exposed. They will also provide credit monitoring and identity protection services.
Those wanting to check if they were affected by the data breach can call the hotline at 1-855-535-1787.
The state has said that their computer systems and contact tracing app were not impacted.
The Department of Health said they will not renew their contract with Insight Global in July.