– The Pennsylvania Department of Health and its third-party contractor Insight Global have been sued, after reports that its COVID-19 contact tracing app exposed the sensitive data of at least 72,000 individuals who used the platform.
The lawsuit follows calls from Republican state legislators to investigate the breach, alleging state leaders were made aware of the security issues months ago but dismissed the concerns.
Insights Global was contracted by the health department in August 2020 to provide services, obtain information needed to slow the spread of the virus, and identify and address social service needs.
According to the breach notice, several Insights Global employees created and used multiple, unauthorized Google accounts to share information, including documents tied to contact tracing data collection. In doing so, the channel made the data vulnerable to exposure, beyond authorized employees and public health officials.
The investigation found that personal information collected by employees, related to COVID-19 contact tracing, may have been accessible to unauthorized parties.
The data included the names of individuals with potential COVID-19 exposure, test results, any experienced symptoms, household members, and contact tracing data related to individuals with social support service needs. The potential exposure occurred between September 2020 and April 21, when it was discovered.
However, local news reports showed State Rep. Jason Ortitay was notified of the incident on April 1 and contacted the governor. The response was that the issue was raised several months earlier but that it was found invalid. Ortitay and other State Representatives held a hearing calling for an investigation on May 3.
The lawsuit takes aim at these claims, as well as reports of a cyberattack against Insight Global and the health department.
Filed by Lisa Chapman, an individual impacted by the incident, the lawsuit claims the protected health information collected and stored on the parties’ servers was compromised during the incident as a “direct result of [the parties’] failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect consumers’ PHI.”
The lawsuit demands a jury trial and asks the court to establish the suit as class-action. It argues that the parties did not provide breach victims with timely or adequate notice that “their information had been subject to the unauthorized access of an unknown third party and precisely what specific type of information was accessed.”
Among the range of claims, the victim alleges that the parties failed to properly secure and safeguard PHI as required by HIPAA and failed to comply with industry standards for protecting sensitive information.
The lawsuit also argues that Insight maintained a host of unsecured spreadsheets, databases, and documents containing PHI.
“These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” the lawsuit reads. “Insight was aware that its employees were using unsecured data storage and communications methods as early as November 2020.”
The victim claims that health department officials were first notified of the incident in February 2021, in direct conflict with the breach notice. But neither party notified individuals until the end of April.
The lawsuit argues that as a direct result, the data of these 72,000 individuals are now in the hands of cybercriminals, and thus, at an increased risk of identity theft. Those individuals will now have to spend time and money to protect themselves from further harm.
Those efforts will include “more carefully screening and scrutinizing phone calls, emails, and other communications to ensure that they are not being targeted in a social engineering or spear phishing attack and searching for suitable identity theft protection and credit monitoring services, and pay to procure them.”
As the impacted data remains in Insight’s and the health department’s servers, the lawsuit also argues these individuals remain at risk from further data compromise.
The victim is seeking equitable relief, requirements for Insight and the health department to implement improve security measures to better protect PHI, attorneys’ fees, and a requirement that the parties pay for at least seven years of credit monitoring services for victims.
It’s the second notable contact tracing lawsuit filed this month. Google was sued by users of California’s public health COVID-19 contact tracing app, alleging the tool exposes user data and violates user privacy.
Meanwhile, the Massachusetts Attorney General is investigating the use of data collected from patients seeking the COVID-19 vaccine from retail pharmacy chains, after reports these sites are collecting data unnecessary to schedule an appointment.
Security researchers and privacy advocates warned about all of the issues highlighted in these cases more than a year ago, after reports these tools would quickly become key elements for the pandemic response.
The US lacks a federal privacy law, which means there are some gray areas for regulating health apps and other third-party data use. As a result, privacy lawsuits have varying results with most settling out of court and the dismissal of others due to a lack of demonstrated, actual harm.