Cybersecurity experts say this is just the beginning. Over 72,000 compromised clients have had their sensitive private information exposed on the internet. That’s what they get for complying with Pennsylvania’s Covid “Contact Tracing” schemes.
Compromised sensitive data
One would think that a company paid nearly $29 million dollars for a single project would be able to use something a little more secure than Google’s G-Drive to store sensitive HIPPA controlled information. You would be wrong.
You would also be wrong to expect state officials to have a clue what the company they contracted with was up to with all that cash. The State of Pennsylvania hired a contractor to trace covid-19 exposures and they compromised “names, phone numbers, email addresses, genders, and COVID-19 diagnosis or exposure.” It’s all on Google and lawyers claim it’s searchable on the internet too.
Last week, Commonwealth officials admitted that “employees of a vendor paid to conduct COVID-19 contact tracing may have compromised the private information of at least 72,000 people.” Oops. Over at Pennsylvania’s Health Department they hit the ceiling to learn “workers at Atlanta-based Insight Global disregarded security protocols established in its state contract.”
They never bothered to check on compliance either. They ordered the third-party to “secure the records” now. Insight Global brought in some “third-party specialists to conduct a forensic examination” to find out how bad the damage is.
The Health Department apologizes that sensitive information “may have been made accessible to persons beyond authorized employees and public health officials.”
Like by Google search. They aren’t going to renew the contract, they promise. Concerned Pennsylvanians “can call 1-855-535-1787 if they believe their information was compromised by the incident.”
Private means private
“Information about private health conditions,” lawyers for the affected citizens declare, “should remain private and not wind up on the other end of a Google search.” Pittsburgh based attorneys filed a federal class-action lawsuit.
The first COVID-19 contact tracing suit ever. The state Senate will be holding a hearing over the compromised data on Tuesday and they plan to drag the acting health secretary in for a good grilling.
Attorney Jack Goodrich proclaims that the “representations that were made to people that this was going to be protected, this was going to be private, nobody was going to know about it. To the contrary, that was not what happened.”
His associates Phil DiLucente, Lauren Nichols and Ken Nolan are just as mad about the compromised information. “We would all agree that there is nothing more personal than a person’s private health information,” DiLucente relates.
It wasn’t vague aggregate information that was compromised but specific and damaging data. “We’re not just talking about someone’s name, gender, or their phone number or their sexual orientation or gender presentation or family size or members of their family but health data, the place that they work.”
Nichols adds, how “does getting paid $29 million lead to using a Google document and private personal Gmail accounts, rather than some sort of secured internal server, secured network?”