Breach worries continue for pandemic-related data

For many people across the country, the worst of the COVID-19 pandemic is starting to feel like it's over. Vaccines are available, and summer weather means more safe outdoor activities. One ongoing concern, however, is the massive amount of personal data that has been involved in COVID-19 prevention programs like contact tracing. Who is charged with protecting this information from cybercriminals, and what happens when a breach occurs?

Across the country, states and municipalities may start discovering the answers the hard way. One recent lawsuit names the Commonwealth of Pennsylvania as a defendant after a company working the state's Department of Health was involved in a data breach, according to the National Law Review. More than 72,000 people were impacted.

The reasons for the lawsuit

The issues surrounding the Department of Health and the involved vendor, Atlanta-based contact tracing company Insight Global began after multiple Insight Global employees shared information through Google accounts, rather than more secure channels that were a part of the company's network. 

Some of the personal information stolen included the names of exposed individuals, any symptoms they may have experienced, the number of members in their household and contact information like emails and phone numbers. In some cases, the breach also included details about the kinds of social support services a person may have required if they sought treatment. Notably, the break did not involve some of the more impactful forms of personal data, like Social Security numbers, banking information, credit card numbers or other payment information.

Claims being made as a part of the related class-action lawsuit include that the breach was the result of negligence and had unlawfully given "publicity to private life." Ultimately, as a result of the violations, the suit claims that both the Pennsylvania Department of Health and Insight Global fell short of their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Notably, the suit also alleges that health officials were aware of the breach far earlier than they made publicly available.

Damages sought include compensation for the members of the class-action suit and new policies related to "data collection, storage and safety."

From coding to human error, little mistakes can lead to major data breaches.
From coding to human error, little mistakes can lead to major data breaches.

A contract cut short

While the state of Pennsylvania may be bearing some of the brunt of this lawsuit, the contractor involved in the breach is also facing additional serious consequences. According to KDKA 2, Pittsburgh's local CBS affiliate, the Pennsylvania Department of Health will be cutting short its contract with Insight Global almost a month early. The contract with Insight Global was supposed to run out July 31 but will instead be terminated in June. The contract was originally worth more than $20 million.

In a statement, Acting Pennsylvania Health Secretary Alison Beam noted the early termination, but said her staff is working to ensure that there won't be a break in contact tracing capabilities. Beam also discussed details about Insight Global's responsibilities to Pennsylvanians impacted by the breach — even after the end of its contract.

"As you know, the Department has required Insight Global to notify individuals impacted by the recent security incident. We anticipate those notifications to begin this week. Insight Global's obligations to remedy the security incident extend beyond the termination of the contract and are not impacted by this decision," said Beam.

Shortly after, on May 24, the State Senate's Communications and Technology Committee announced that it was seeking to put forward a bill updating the Breach and Personal Information Act. The proposed legislation be designed to increase transparency surrounding medical data breaches.

When contacted by KDKA 2 for more information, the Department of Health cited the ongoing litigation against it as a reason to not give more specific information.

Cybersecurity capabilities you can trust

Even if your organization doesn't work with large amounts of personal data, as Insight Global and the Pennsylvania Department of Health do, protecting your information is still essential. Data breaches are rising in cost and impact each year and could leave you vulnerable to litigation depending on the data you work with. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks.  This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary terminal emulation tool called Inventu Viewer+, a high performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows developers to craft reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers.  All in all, Inventu Viewer+ supports streamlined IT modernization and meets employer and staff expectations in a way that feels both familiar and simple. Contact us today or review our extensive product catalog to see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.