PA private data. Contact tracing calls are nonetheless on-line regardless of assurances that they had been secured.
A data table was still online on Wednesday
Jamie Martines / Spotlight PA
Jamie Martines joined Spotlight PA in 2020 after four years on the Triblive / Pittsburgh Tribune Review. During her residency in Pittsburgh, she spent two years in education before moving to reporting on the Allegheny County government and special projects. She has covered major breaking news in the Pittsburgh area, including the novel coronavirus outbreak, the Tree of Life mass shooting, air quality concerns following a series of fires at the Clairton Coke Works, and the Pennsylvania grand jury investigation into abuse of Clergy in the US Catholic Church. Before devoting himself to journalism, Martines worked for a non-profit organization in the Chinese province of Yunnan and lived there for three years.
June 9, 2021 | 6:33 pm
Spotlight PA is an independent, bipartisan newsroom operated by The Philadelphia Inquirer in association with PennLive / The Patriot-News, TribLIVE / Pittsburgh Tribune-Review, and WITF Public Media. Sign up for our free newsletter.
(Harrisburg) – Personal data collected from coronavirus contact tracing calls in Pennsylvania is still available online in a link-accessible document, Spotlight PA learned more than a month after the company responsible declared that the data was being backed up.
The information contained in an active Google Spreadsheet includes the names of people who may have been infected with the coronavirus along with their dates of birth, phone numbers, places of residence, and notes about their test status or other personal information.
The entries are dated October 22, 2020 to November 10, 2020 and identify around 66 people – many of them minors, according to the birthdays listed. The link to the worksheet was made available to Spotlight PA as part of a links cache that contained call scripts used by contact tracers, educational materials, and other resources.
Insight Global – the company that awarded the state Department of Health a federally funded $ 23 million emergency contract to conduct the tracing in July – didn’t respond to requests for comment.
Health Department spokesman Barry Ciccocioppo said the department was unaware that the additional link was active and investigating.
The spreadsheet, which remained active at 5:30 p.m. on Wednesday, is linked to a former Insight Global employee’s Google Drive account. Arrived on Wednesday, the employee said she did not know the information was stored in her personal account.
The situation raises the question of how many other documents of personal information may be in the Google accounts of current and former employees and therefore not immediately visible to the company or government officials or under their control.
James Lee, chief operating officer of Identity Theft Resource Center, a San Diego-based nonprofit that tracks security breaches and helps businesses and consumers with cybersecurity issues, also said closing the links won’t solve the problem unless it can with the certainty that no information has been copied, downloaded or saved.
Although financial information was not included in the contact tracing data, details like birthdays, names of family members and places of residence could be used for phishing scams or authentication tests to recover passwords or apply for programs like unemployment, he said.
“This seemingly innocuous information can be misused,” said Lee. “And right now, this is a more common use of information than what we traditionally thought about data breaches and identity theft.”
The state and Insight Global announced in late April that the personal information of up to 72,000 people was insecurely stored in Google Docs, which anyone can access with a link. The statement came in response to a report from Pittsburgh NBC subsidiary WPXI that included links to several spreadsheets detailing the people contacted.
In a statement released on April 29, the company apologized for the vulnerability and said it was “committed to restoring the confidence of all Pennsylvania residents that may be affected.” The company said it learned of the compromise of the data on April 21 and “immediately taken steps that will be completed by April 23, 2021 to secure and prevent further access to or disclosure of information”.
The company also said it was working with an unnamed IT security specialist to “determine the nature and scope of the incident.” In addition, Insight Global announced that it will reach out to those whose information has been compromised and offer credit and identity theft surveillance.
A health ministry spokesman told WPXI that his “first priority is to isolate and protect the information that is out there.” The links WPXI made available to state officials in April were closed shortly after inquiries about the issue. The health department announced at the end of May that it would terminate the contract with Insight Global by the end of this month.
In interviews with Spotlight PA, several current and past Insight Global Contact Tracers described a chaotic, disorganized work environment made worse by a lack of communication between government health officials, the company and its employees. The guidelines for making contact tracing calls changed frequently, and tracers were often not trained properly, they said.
Logs for assigning and logging completed calls were inconsistent, and the platforms used to manage this information – in various places a combination of Google Drive, Microsoft Forms, Salesforce, and Sharepoint – were buggy, cumbersome, or inadequate to organize the data and sure, said the contact tracers.
“I don’t think the people at Insight Global were surprised that these things were even made public,” a former contact tracer told Spotlight PA, adding that the company was “very aware” that there were security issues.
The employees asked not to be named in this report because they were not authorized to speak for the company and feared retaliation.
Both Atlanta-based Insight Global and the state health department are named in a federal lawsuit filed on May 5 by an Allegheny County woman who was among those whose personal information was disclosed. The lawsuit, which seeks class-action status, claims that the company was aware of vulnerabilities as early as November and the state was aware of vulnerabilities as of February.
An email dated November 30th from a contact tracer to an Insight Global Operations Manager accompanying the complaint outlined a number of security issues, including concerns about data breaches and improper use of personal health and employee information.
“We overload systems that were not made available to us, which creates many problems because many functions are not available / limited or there is no secure way to transfer confidential information with the personal e-mail addresses of employees (Google documents, tables , E-Mail, Slack, Zoom). “Wrote the contact tracer.
In a separate email attached to the February 25 complaint and sent to the Department of Health’s Legal Advisory Service, a former Insight Global employee described concerns about the security of health information.
“Since IG made no attempt to correct my concerns (I found multiple issues and multiple anomalies), I wasn’t sure what to do with my knowledge of their unsafe conditions,” the employee said in the email. which relates to Insight Global.
Phil DiLucente, the attorney representing those affected by the vulnerability in the lawsuit, said he could not directly comment on the link active on Wednesday, but added that it is again suggesting that Insight Global is managing unsecured files.
Insight Global has been contracted by the State Department of Health to deploy more than 1,000 contact tracers. Contact tracers should call people who have come into contact with someone infected with the coronavirus, inform them of the exposure, and discuss quarantine and testing options. It was intended as a strategy to track and prevent the virus from spreading.
An emergency procurement request submitted by the health department in July said the department “worked with multiple recruiting partners” to see if they could quickly launch a contact tracing program.
After “at least two conversations with each agency,” the department asked several for a quote, including details of hourly rates for each position, services, and equipment they could provide, including a laptop, headset, and cellphone, the request said.
Insight Global had fulfilled the request “in the most expedient manner” and was qualified for doing similar work in New York, the request said.
Throughout the pandemic, contact tracing efforts in many areas of the state have been severely hampered by people who were unwilling to answer calls from tracers or provide personal information as they claimed it was an invasion of privacy.