Insight Global Calls on Former Employees to Secure PII Data Breach

June 22, 2021 - Insight Global, a company hired by the state of Pennsylvania to administer its contact tracing program, asked former and current employees to return and secure any documents that might still contain personal information months after its data breach exposing personally identifiable information (PII) was supposedly secured.

According to local NPR affiliate WESA, an email obtained by Spotlight PA from Insight Global’s lawyer on June 11th stated: “As an effort to preserve all relevant materials, IG is working to ensure that any documents in the possession of individuals who worked on the contact tracing assignment for the Commonwealth of Pennsylvania are properly secure.”

Spotlight PA also discovered a Google document that remained available to anyone with the link more than a month after Insight Global stated its data was secured. The document identified 66 people, most of them minors, and contained birthdates, phone numbers, and counties of residence.

The document was located in a former employee’s Google account, and it is unclear how many like it are still exposed. The employee said she was not aware that the information was stored on her account.

The statement said that Insight Global will help employees return and secure documents, “as well as confirming that any internet links or electronic files have the proper security controls in place to ensure that they are not accessible by any third-parties.”

The company’s goal is to “limit any further disclosure of sensitive information of persons contacted as part of these contact tracing efforts,” according to the letter.

Insight Global had a $23 million contact from Pennsylvania’s Department of Health in July 2020 but has since been fired. The company initially became aware of a data breach on April 21, 2021 and claimed to have all data secured by April 23rd.

An initial report from local NBC affiliate WPXI indicated that the initial breach impacted about 70,000 people in Pennsylvania. Former employees also told the news outlet that they had alerted supervisors of security issues, but no action was taken at the time.

“Since IG made no attempt to correct my concerns (I found multiple issues and several exposures), I was unsure of what to do with the knowledge I had about their lack of security,” an employee of Insight Global stated in an email to Spotlight PA.  

As of Spotlight PA’s June 9th report, there was at least one document still accessible. Insight Global was initially hired at the height of the pandemic to provide 1,000 contact tracers to call people who came in contact with the COVID-19 virus.

One hired contact tracer wrote an email to Insight Global in November, stating, “We are overutilizing systems that were not provided for us, which presents many issues, as many features are unavailable/limited or not a safe way to handle sensitive information with employees personal email addresses (Google docs, sheets, email, slack, zoom).”

Pennsylvania will terminate the company’s contract at the end of the month and a class-action lawsuit was filed on May 5th. Community health nurses and National Guard members will take over contact tracing efforts through at least mid-July.