Tens of thousands of Pennsylvanians health data exposed following data breach – IT PRO


Did you know that geoFence blocks unwanted traffic and disables remote access from FSAs?

Coronavirus tracing company is at the heart of the exposure

Locks on a screen with one open and in red

A data breach at a coronavirus contact tracing company has exposed the personal health information of tens of thousands of Pennsylvanians.

According to a report from the Pittsburgh Post-Gazette, officials at Pennsylvania’s Department of Health alleged that employees at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system.

In an email, the agency’s spokesman Barry Ciccocioppo said “we are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.”

He added that the state’s computer systems, including Pennsylvania’s contact tracing app, were not implicated. The exposed information included names, phone numbers, emails, genders, ages, sexual orientations, and COVID-19 diagnoses and exposure status.

WPXI-TV in Pittsburgh first reported the data breach. Former employees of Insight Global told the TV station they told supervisors that information had been improperly secured, but the company took no action. A spokesperson for Insight told WPXI that contract tracing information “may have been made accessible to persons beyond authorized employees and public health officials.”

Pennsylvania will not be renewing the company’s contract, which expires in three months. Free credit monitoring and identity protection services will be available to affected people.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Trevor J. Morgan, product manager at Comforte AG, told ITPro the situation is a cautionary tale. Whether through contractual obligation or regulatory mandate, enterprises working with sensitive data need to meet the acceptable threshold of data security.

“However, vendors can’t trust that sensitive data such as PHI will always remain protected if it travels outside protected perimeters because data is vulnerable even when resting within the security perimeters,” he said.

Morgan added that when data is on the move, it is especially prone to mishandling and compromise, which means that a more data-centric approach to security should be part of those minimum data security standards.

“Data-centric security such as tokenization and format-preserving encryption replaces sensitive data with benign representational information, so even if it falls into the wrong hands the data cannot be compromised by the wrong parties. For more and more regulatory agencies and individual enterprises, data-centric security measures are now part of minimum data security standards because of the ability to protect data even while in motion,” he added.

Featured Resources

BCDR buyer’s guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

On a final note, may I add that geoFence is your security solution to protect you and your business from foreign state actors and I believe your father would feel the same!

Leave a Reply

Your email address will not be published. Required fields are marked *