Pennsylvania is firing a company that performed COVID-19 contact tracing and exposed the private medical information of tens of thousands of residents, state officials said Thursday.
Employees of Insight Global used unauthorized Google accounts — readily viewable online — to store names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations and other information about residents who had been reached for contact tracing. The company's contract with the state required it safeguard people's data.
The Department of Health said last month that at least 72,000 people were impacted.
The state had planned to drop Insight Global once its contract expires at the end of the July, but the Health Department said Thursday it will terminate the contract early, on June 19.
The department said that it was taking action "after more fully evaluating the circumstances" of the security lapse.
Insight Global is required to notify impacted people, and the Health Department said those notifications would begin next week. The department said the state's contact tracing operation would continue with a new vendor.
"We are working to make sure that there is not a break in continuity in our contact tracing services as we transition out of the Insight Global contract and into our next contract," Acting Health Secretary Alison Beam said at a news briefing Thursday.
State Rep. Jason Ortitay, R-Allegheny, who has accused the Wolf administration of being slow to act on the breach, said in a statement that he is pleased the state is severing ties with the Atlanta-based company, but that he still wants answers about the incident.
"This deserves a full investigation so we can learn what happened and how to prevent it from happening again moving forward," he said.
Both Insight Global and the Health Department are facing litigation over the breach.
A federal lawsuit said the company had known about the improper handling of people's confidential medical information as early as November — and that the Health Department learned of it as early as February — but neither took any action until April 21. The lawsuit, filed on behalf of a New Kensington woman who had been contacted by Insight Global, seeks class action status.
The plaintiffs "have had their most personal, sensitive and private information disseminated to the public at large," the suit said, and are at heightened risk of identity theft.
The state has paid Insight Global tens of millions of dollars since last summer to administer the state's contact tracing program. Contact tracers identify people who have been exposed to the coronavirus so they can quarantine.
Insight Global has acknowledged it mishandled sensitive data and apologized. The company has said it only became aware on April 21 that employees had set up the unauthorized Google accounts for sharing information. Insight Global said it took steps to secure the information.
"Insight Global is committed to supporting a smooth transition of this program," the company said in a statement Thursday. "Although neither Insight Global nor the Commonwealth of Pennsylvania are aware of any misuse of the information involved, we understand the concern this potential access to such information may raise."