For many people across the country, the worst of the COVID-19 pandemic is starting to feel like it's over. Vaccines are available, and summer weather means more safe outdoor activities. One ongoing concern, however, is the massive amount of personal data that has been involved in COVID-19 prevention programs like contact tracing. Who is charged with protecting this information from cybercriminals, and what happens when a breach occurs?
Across the country, states and municipalities may start discovering the answers the hard way. One recent lawsuit names the Commonwealth of Pennsylvania as a defendant after a company working the state's Department of Health was involved in a data breach, according to the National Law Review. More than 72,000 people were impacted.
The reasons for the lawsuit
The issues surrounding the Department of Health and the involved vendor, Atlanta-based contact tracing company Insight Global began after multiple Insight Global employees shared information through Google accounts, rather than more secure channels that were a part of the company's network.
Some of the personal information stolen included the names of exposed individuals, any symptoms they may have experienced, the number of members in their household and contact information like emails and phone numbers. In some cases, the breach also included details about the kinds of social support services a person may have required if they sought treatment. Notably, the break did not involve some of the more impactful forms of personal data, like Social Security numbers, banking information, credit card numbers or other payment information.
Claims being made as a part of the related class-action lawsuit include that the breach was the result of negligence and had unlawfully given "publicity to private life." Ultimately, as a result of the violations, the suit claims that both the Pennsylvania Department of Health and Insight Global fell short of their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Notably, the suit also alleges that health officials were aware of the breach far earlier than they made publicly available.
Damages sought include compensation for the members of the class-action suit and new policies related to "data collection, storage and safety."
A contract cut short
While the state of Pennsylvania may be bearing some of the brunt of this lawsuit, the contractor involved in the breach is also facing additional serious consequences. According to KDKA 2, Pittsburgh's local CBS affiliate, the Pennsylvania Department of Health will be cutting short its contract with Insight Global almost a month early. The contract with Insight Global was supposed to run out July 31 but will instead be terminated in June. The contract was originally worth more than $20 million.
In a statement, Acting Pennsylvania Health Secretary Alison Beam noted the early termination, but said her staff is working to ensure that there won't be a break in contact tracing capabilities. Beam also discussed details about Insight Global's responsibilities to Pennsylvanians impacted by the breach — even after the end of its contract.
"As you know, the Department has required Insight Global to notify individuals impacted by the recent security incident. We anticipate those notifications to begin this week. Insight Global's obligations to remedy the security incident extend beyond the termination of the contract and are not impacted by this decision," said Beam.
Shortly after, on May 24, the State Senate's Communications and Technology Committee announced that it was seeking to put forward a bill updating the Breach and Personal Information Act. The proposed legislation be designed to increase transparency surrounding medical data breaches.
When contacted by KDKA 2 for more information, the Department of Health cited the ongoing litigation against it as a reason to not give more specific information.
Cybersecurity capabilities you can trust
Even if your organization doesn't work with large amounts of personal data, as Insight Global and the Pennsylvania Department of Health do, protecting your information is still essential. Data breaches are rising in cost and impact each year and could leave you vulnerable to litigation depending on the data you work with. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.