Pennsylvania should immediately terminate the no-bid state contract of a company that performed COVID-19 contact tracing and exposed the private medical information of tens of thousands of residents, Republican state lawmakers said Monday.
GOP leaders also called for state and federal probes into the Atlanta-based contractor's mishandling of the data, and what they said was the slow response by the Wolf administration.
Employees of Insight Global used unauthorized Google accounts — readily viewable online — to store names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations and other information about residents who had been reached for contact tracing. The company's contract with the state required it safeguard people's data.
The Department of Health said last week at least 72,000 people were impacted. The state plans to drop Insight Global once its contract expires at the end of the July.
But GOP lawmakers said at a news conference at the Capitol on Monday that the administration of Gov. Tom Wolf needs to find a new vendor immediately.
“The public trust in Insight Global is gone,” said state Rep. Jason Ortitay, R-Allegheny. “And as as long as the company continues to do contact tracing for our state, who is going to give them any information?”
The state has paid Insight Global nearly $29 million since last summer to administer the state’s contact tracing program. Contact tracers identify people who have been exposed to the coronavirus so they can quarantine.
Insight Global has acknowledged it mishandled sensitive data and apologized. In a statement last week, the company said it became aware on April 21 that employees had set up the unauthorized Google accounts for sharing information. Insight Global said it took steps to secure the information and that it was unaware of “the misuse of the information involved.”
Insight Global has hired about 900 people as part of its contract with the state. Health Department spokesperson Barry Ciccocioppo said the Health Department plans to “transition away” from the company when its contract ends.
Republican lawmakers have faulted the Democratic administration over its handling of the matter.
Ortitay said he was alerted by a reporter for WPXI-TV about the mishandled data on April 1 and, in turn, immediately contacted the Health Department that day to ask questions about the vendor and its software. He said he alerted the governor's office on April 7 when he got no reply from the Health Department, and was explicit about the data breach. On April 13, he said, administration officials told him the claims had been looked into months ago and were false.
“I just took their word for it,” he said Monday.
The Health Department asserted late Monday that it was unaware of the issue with Insight Global until April 19.
Ciccocioppo said Ortitay “did not raise any data security concerns” in his April 1 email to the department but “simply asked questions about the vendor.” Ciccocioppo said agency officials “immediately took action" once it learned about the problem from WPXI. He did not say whether the governor's office had been in contact with Health Department staff about the problems at Insight Global.
“The incident occurred because certain employees of Insight Global disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the commonwealth," he said. “That situation has been corrected.”