PA Dept. of Health waited two months to notify Pennsylvanians after contact tracing program exposed over 72K personal records
HARRISBURG – The Senate Communications and Technology Committee, chaired by Senator Kristin Phillips-Hill (R-York), unanimously approved a proposal that will strengthen the state’s Breach of Personal Information Act following a massive data breach with the state’s contact tracing program.
The legislation, sponsored by Senator Dan Laughlin (R-Erie), would require any state agency, county, school district or municipality that experiences a data breach to provide notice of the breach within seven days of discovery. The state’s Attorney General would be notified within three business days of the breach that occurs in a state agency. The county District Attorney would be notified within three business days if the breach occurred in a county, school district or municipality.
Senator Pat Stefano (R-Fayette, Somerset, Westmoreland), who serves as the committee’s vice chairman, amended the bill to extend the public protections to third-party entities that contract with the state.
“Tens of thousands of Pennsylvanians had their personal health data floating around on the Internet and in the hands of people who should not have it. The department waited months to disclose this major data breach after it was first notified. This legislation will put a process in place to make those data breach notifications much timelier, and better protect Pennsylvanians moving forward,” Laughlin said.
“To date, the department still will not provide the public with clear answers on what transpired over the last year with this emergency contract. Valuable taxpayer dollars were used for this contract, which is why this amendment is so critical. Every Pennsylvanian should have confidence when they provide their personal information to state government or any government contractor, that it will be secure and protected. If a breach occurs, the notification should be timely, not swept under the rug for two months. The department failed over 70,000 individuals and this legislation will remedy this issue,” said Stefano, who raised major concerns at the committee’s public hearing earlier this month.
“We have major concerns that are still unresolved and questions that are still unanswered due to this data breach of major proportions. However, the committee took an important step to address this issue through the efforts of Senators Laughlin and Stefano,” Phillips-Hill said.
The legislation now advances to the full Senate for its consideration.
On July 25, 2020, the Department of Health awarded a $22.9 million emergency contract to Georgia-based Insight Global to conduct contact tracing efforts through July 31, 2021.
On April 30, 2021, WPXI-TV uncovered that Insight Global, the Department of Health’s third-party vendor in charge of contact tracing COVID-19 individuals, that tens of thousands of individuals had their personal health care data exposed after a data breach. Compromised data included names, phone numbers, email addresses, genders, ages, COVID-19 diagnoses, and sexual orientation.
Phillips-Hill’s committee scheduled a public hearing for May 11 featuring officials from the Department of Health seeking to know when the state agency first knew of the massive breach, why the contractor was not immediately fired, how many people were affected, including if any were minors, as well as where the data will go after the pandemic is over.
On Friday, May 7 at 6 p.m., the department announced it would no longer participate in the hearing. The committee still conducted the public hearing allowing lawmakers to publicly ask questions that remain unanswered regarding the massive data breach.
WPXI-TV obtained an email that was sent to the Department of Health on February 25 notifying the state agency of a possible data breach. The department went public with the data breach two months later.
The legislation passed by the committee would require a data breach notification to be made within one week.
PHOTO CAPTION: Senator Dan Laughlin (R-Erie) speaks in support of legislation he authored to update the state’s Breach of Personal Information Notification Act to require state agencies to properly notify individuals affected within three days of the data breach. The Senate Communication and Technology Committee approved the legislation after the Dept. of Health’s COVID-19 contact tracing vendor exposed over 70,000 Pennsylvanians’ personal health records.
PHOTO CAPTION: Senator Pat Stefano (R-Fayette, Somerset, Westmoreland) offers an amendment during a Senate Communications and Technology Committee meeting to require greater oversight to third-party entities that contract with state government. The underlying legislation will require greater notification and streamline the process in the instance of a data breach within a state agency. The committee acted in light of a massive data breach impacting over 72,000 Pennsylvanians.
PHOTO CAPTION: Senator Kristin Phillips-Hill (R-York) chairs a Senate Communications and Technology Committee meeting at the state Capitol. The committee approved legislation that would strengthen and streamline the process for data breaches within state agencies, as well as with any third-party entity that contracts with state government.