Personal data from Pa. contact tracing calls still online despite assurances it had been secured
Spotlight PA is an independent, non-partisan newsroom powered by The Philadelphia Inquirer in partnership with PennLive/The Patriot-News, TribLIVE/Pittsburgh Tribune-Review, and WITF Public Media. Sign up for our free newsletters.
HARRISBURG — Personal information collected during coronavirus contact tracing calls in Pennsylvania is still available online in a document accessible to anyone with a link, Spotlight PA has learned, more than a month after the company responsible said the data had been secured.
The information, contained in an active Google spreadsheet, includes the names of people who were potentially infected with the coronavirus, along with their dates of birth, phone numbers, counties of residence, and notes related to their test status or other personal information.
The entries are dated Oct. 22, 2020, to Nov. 10, 2020, and identify approximately 66 people — many of them minors, according to the birthdays listed. The link to the sheet was provided to Spotlight PA as part of a cache of links that included call scripts used by contact tracers, training materials, and other resources.
Insight Global — the company the state Department of Health awarded a $23 million, federally funded emergency contract in July to conduct tracing — did not respond to requests for comment.
Health department spokesperson Barry Ciccocioppo said the department was unaware the additional link was active and was investigating.
The spreadsheet, which remained active as of 5:30 p.m. Wednesday, is associated with the Google Drive account of a former employee of Insight Global. Reached Wednesday, the employee said she was unaware the information had been stored in her personal account.
The situation raises questions about how many other documents with personal information might exist in the Google accounts of current and former employees, and therefore not immediately apparent to or under the control of the company or state officials.
James Lee, chief operating officer of the Identity Theft Resource Center, a San Diego-based nonprofit that tracks security breaches and assists businesses and consumers with cybersecurity issues, also said shutting down the links doesn’t solve the problem unless it can be determined with certainty that no information was copied, downloaded, or saved.
Though no financial information was included in the contact tracing data, details like birthdays, family member names, and places of residence could be used for phishing scams or to pass authentication tests to recover passwords or apply for programs like unemployment, he said.
“These seemingly innocuous pieces of information can be misused,” Lee said. “And right now, that is a more common use of information than what we have traditionally thought of in terms of data breaches and identity theft.”
The state and Insight Global in late April acknowledged the personal information of as many as 72,000 people had been stored insecurely in Google documents accessible to anyone with a link. The statement came in response to a report by Pittsburgh NBC affiliate WPXI, which obtained links to several spreadsheets containing details of those who had been contacted.
In a statement issued April 29, the company apologized for the security lapse and said it was “committed to restoring the trust of any residents of Pennsylvania who may have been impacted.” The company said it became aware on April 21 that the data was compromised and “immediately took steps, completed by April 23, 2021, to secure and prevent any further access to or disclosure of information.”
The firm also said it was working with an unnamed information technology security specialist to “determine the nature and scope of the incident.” Additionally, Insight Global said it would contact those whose information was compromised and offer credit and identity theft monitoring.
A spokesperson for the health department told WPXI that its “first priority was to isolate and protect the information that was out there.” The links WPXI provided to state officials in April were shut down shortly after inquiries about the problem. The health department in late May announced it would terminate the contract with Insight Global by the end of this month.
In interviews with Spotlight PA, several current and former Insight Global contact tracers described a chaotic, disorganized work environment exacerbated by a lack of communication between state health officials, the company, and its employees. Guidelines for conducting contact tracing calls changed frequently, and tracers were often not trained properly, they said.
Protocols for assigning and logging completed calls were inconsistent, and the platforms used to manage this information — at various points, a combination of Google Drive, Microsoft Forms, Salesforce, and Sharepoint — were glitchy, cumbersome, or not suitable for keeping the data organized and secure, the contact tracers said.
“I don’t think people at Insight Global were surprised that these things became public at all,” one former contact tracer told Spotlight PA, adding that the company was “well aware” that there were security issues.
The employees asked not to be identified in this report because they were not authorized to speak for the company and feared retaliation.
Both Insight Global, which is based in Atlanta, and the state health department are named in a federal lawsuit filed May 5 by an Allegheny County woman who was among those whose personal information was exposed. The lawsuit, which is seeking class-action status, alleges the company was aware of security weaknesses as early as November, and that the state was aware as early as February.
A Nov. 30 email from a contact tracer to an Insight Global operations manager attached to the lawsuit complaint outlines a range of security problems, including concerns about privacy violations, and the mishandling of personal health and employee information.
“We are overutilizing systems that were not provided for us, which presents many issues, as many features are unavailable/limited or not a safe way to handle sensitive information with employees personal email addresses (Google docs, sheets, email, slack, zoom),” the contact tracer wrote.
In a separate email attached to the complaint, dated Feb. 25 and sent to the health department legal counsel office, a former Insight Global employee described concerns about the security of health information.
“Since IG made no attempt to correct my concerns (I found multiple issues and several exposures), I was unsure of what to do with the knowledge I had about their lack of security,” the employee’s email, referring to Insight Global, said.
Phil DiLucente, the attorney representing those affected by the security lapse in the lawsuit, said he couldn’t comment directly on the link active as of Wednesday, but added it again suggested that unsecured files were maintained by Insight Global.
Insight Global was hired by the state health department to deploy more than 1,000 contact tracers. Contact tracers were supposed to call people who came in contact with someone infected with the coronavirus, inform them of the exposure, and discuss quarantine and testing options. It was intended as a strategy to track and prevent spread of the virus.
An emergency procurement request filed by the health department in July said that the department “engaged with multiple staffing agency partners” to evaluate whether they could launch a contact tracing program quickly.
After “at least two conversations with each agency,” the department asked several for a pricing proposal, including details about hourly rates for each position, benefits, and equipment they could provide, including a laptop, headset, and cell phone, the request said.
Insight Global met the request in “the most expedient manner” and was qualified because it had done similar work in New York, the request said.
Throughout the pandemic, contact tracing efforts in many areas of the state were severely hampered by people who were unwilling to answer tracers’ calls or provide personal information, claiming it was an invasion of privacy.
— If you learned something from this story, pay it forward and become a member of Spotlight PA so someone else can in the future at spotlightpa.org/donate. Spotlight PA is funded by foundations and readers like you who are committed to accountability journalism that gets results.