Lawmakers blasted the Wolf Administration Tuesday for declining to participate in an oversight hearing intended to shed light on a data breach by employees of a contractor hired to track and slow the spread of COVID-19.
The breach by the contractor affected at least 72,000 Pennsylvanians.
State Sen. Kristin Phillips-Hill, R-York County, the chairwoman of the Senate communications and technology committee said Tuesday’s hearing was intended to get answers to questions lawmakers are fielding from constituents including: “When did the department know? Who was impacted? What information do these contact tracers have in their possession? Why didn’t the department immediately cancel its contract with the vendor? And where does this information go after the pandemic is over?”
However, she said she was contacted Friday, after she’d already advertised that the hearing would be held, that the Department of Health would not show up.
“The opportunity to provide transparency was lost,” she said. “Questions still remain,” Phillips-Hill said.
State Sen. Pat Stefano, R-Fayette County, said he was “very disappointed” that the Wolf Administration didn’t send a representative to the hearing.
“I had big concerns about contact tracing and privacy,” he said. “Now we have lots of questions,” Stefano said.
Maggi Barton, a Department of Health spokeswoman, said that administration officials couldn’t participate due to a lawsuit inspired by the incident.
“The Department of Health was planning to participate in today's Senate hearing. However, once a lawsuit against the department was filed, we were unable to accept the invitation because we do not comment on matters relating to pending litigation,” she said.
That lawsuit was filed last Wednesday alleging that the actions of the Department of Health and Insight Global, the company hired by the state last summer to contact trace individuals who’d tested positive for COVID or been exposed to someone who’d tested positive for COVID, had put sensitive personal information at risk, court records show.
The lead plaintiff in the lawsuit is a Westmoreland County but attorneys in the case have indicated they are seeking to have the case tried as a class-action lawsuit on behalf of all the individuals who’d had their personal information exposed by the Insight Global employees, according to court records. A trial date has not been set.
Insight Global released a statement on April 29 acknowledging that employees had used Google accounts to share personal information about some of the people contacted as part of the contact tracing process from September 2020 through April 21.
The company’s statement indicated that “Insight Global leadership became aware of this security vulnerability on April 21.”
“At this time, we believe the impacted information consisted of names of individuals who may have been exposed to COVID-19, whether they were positive or negative for COVID-19, if they experienced symptoms, information about number of members in household, and for certain individuals, email and telephone numbers and information to address any needs for specific social support services,” according to the company’s statement.
Insight Global’s statement indicates that neither company officials nor state officials were aware of any cases where the information had been misused but said that free credit monitoring and identity protection services had been offered to those impacted.
Records included in support of the lawsuit show that an Insight Global employee had warned of mishandling of personal health information and “privacy violations” as early as Nov. 30. Court documents also show that the Department of Health was contacted by a former Insight Global employee on Feb. 25 who complained about “non-compliant behavior” related to personal information and possible violations of the Health Insurance Privacy and Portability Act.
The Department of Health has previously blamed the vendor for the problem and indicated that when the contract with Global Insight expires in June, it won't be renewed. The state has paid the company close to $29 million for contact tracing services, according to the state Treasury Department.