A lawsuit requesting class-action status alleges the Pennsylvania Department of Health and its contact tracing vendor failed to provide adequate cybersecurity measures to protect residents' protected health information.
The lawsuit was filed on May 5 on behalf of Pennsylvania resident Lisa Chapman, one of the 72,000 residents who were affected by a data breach that left PHI exposed from at least September 2020 to April 2021.
Six details:
- According to court documents, Ms. Chapman is suing the Pennsylvania Department of Health and Insight Global, the state's contact tracing vendor, for allegedly failing to secure residents' PHI.
- The lawsuit said that there was no competitive bidding process for the approximately $23 million contract Insight Global received from the DOH.
- The lawsuit alleges Insight Global received the PHI of Pennsylvania residents who either tested positive for COVID-19 or had come into contact with those who had — as well as intimate information about the members of their household.
- The lawsuit alleges that Insight Global maintained information on tens of thousands of Pennsylvania residents, including names, phone numbers, email addresses and COVID-19 diagnoses. None of the information was password protected, and it was available to the public through a Google search.
- The DOH was notified about the breach as early as February, but neither DOH nor
Insight Global worked to secure the PHI until April, the lawsuit alleges. - As a result of the DOH and Insight Global's alleged relaxed privacy measures, the PHI is in the hands of cybercriminals, thieves and other potentially hostile environments, the lawsuit claims.