The personal information of more than 72,000 Pennsylvanians was exposed in a data breach last month, and questions and calls for an investigation are mounting.
State Republican lawmakers are leading the calls for an investigation and using the breach as an opportunity to lobby for other agenda items, particularly their desire to repeal some of the governor’s authority.
Democrats have been mostly quiet about the breach.
Those tens of thousands of Pennsylvanians impacted by the breach have not yet been notified.
The state Department of Health on Monday said notifications will be mailed to all affected individuals later this week.
Here’s what the USA TODAY Network Pennsylvania Capital Bureau knows about the data breach:
Who knew about the data breach and when did they know?
The timeline of events is not completely clear.
Rep. Jason Ortitay, R-Washington County, said he first heard of a breach and reached out to the governor’s office in early April. He said he was told it was not true.
The governor’s office did not respond to USA TODAY Pennsylvania Capital Bureau questions seeking clarity.
Ortitay said WPXI, a Pittsburgh TV news station, asked the state Department of Health about the breach, and the department confirmed it early the week of April 19.
The state health department on Monday said it “recently” learned about the breach, but did not clarify a timeline.
Who leaked the information?
The state Department of Health said it recently became aware that certain employees of Insight Global — an Atlanta-based vendor contracted by the department in March 2020 for $29 million to provide contact tracing and other similar services — disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the commonwealth.
The unauthorized documents existed separately from the official data that Insight Global employees were collecting and providing to the state Department of Health within secure data platforms.
No commonwealth IT assets or systems, including the COVID Alert PA app, were involved or compromised.
What information was leaked?
The leaked documents contained a minimum of 72,000 individuals’ names, and some of the names are associated with additional information such as phone numbers and email addresses along with personal information such as gender, age, sexual orientation, and COVID diagnosis and exposure status, according to the Pennsylvania Department of Health.
The documents did not include financial account information, addresses or Social Security numbers, according to the department.
“The Department of Health takes the safety and security of individuals’ personal information extremely seriously,” said spokesman Barry Ciccocioppo. “We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.
“Immediately after becoming aware, the Department took swift action demanding Insight Global properly secure the documents. Insight Global engaged third-party IT specialists and immediately began a forensic investigation to identify all individuals who might be impacted.”
How to know if you’re impacted
The state has not yet formally notified the Pennsylvanians who were impacted.
Pennsylvania health officials on Monday said notifications will be mailed to all affected individuals later this week.
Additionally, a hotline has been set up for those who are concerned about the security of their information: 1-855-535-1787.
The hotline opened at 1 p.m. Friday, and 104 calls were received that day, according to the Department of Health.
The toll-free line is staffed from 9 a.m. to 9 p.m. Monday through Friday.
Though no financial information was included, credit monitoring and identity protection services will be offered at no cost to anyone impacted by this incident, the health department said.
What is the state doing about the breach?
As a result of the breach, the state Department of Health is not renewing Insight Global’s contract when it expires on July 31.
“The department is evaluating how to appropriately onboard resources to meet the public health needs of Pennsylvanians,” Ciccocioppo said.
Republicans are calling for the contract to be terminated immediately.
What is being investigated?
Some Republican lawmakers are calling for a full investigation.
“Why didn’t the department or the governor’s office take action when they were notified months earlier and again by me in early April?” Ortitay said. “How many more people had their information compromised because the governor’s administration failed to act immediately? Also, why isn’t the department immediately terminating the contract of this company? Who is going to trust them moving forward? We need a full investigation.”
House Majority Leader Kerry Benninghoff, R-Centre County, said this breach of trust is another reason why the General Assembly put Gov. Tom Wolf’s emergency declarations on the May 18 primary ballot.
The Insight contract “was issued under sole-sourcing no-bid contract authority of the governor’s emergency disaster declaration. That means that the Wolf administration did not need to seek other bids, did not have seek better security maintenance, and did not have additional scrutiny over the issuance of this contract,” Benninghoff said.
“It is the latest example of extreme mismanagement from this administration that resulted in injury to Pennsylvanians and it is another example of why we are putting to the voters Constitutional amendments that would reassert legislative oversight into the management of emergency disaster declarations.”
Candy Woodall is a reporter for the USA TODAY Network Pennsylvania Capital Bureau. She can be reached at 717-480-1783 or on Twitter at @candynotcandace.