The firm also said it was working with an unnamed information technology security specialist to “determine the nature and scope of the incident.” Additionally, Insight Global said it would contact those whose information was compromised and offer credit and identity theft monitoring.
A spokesperson for the health department told WPXI that its “first priority was to isolate and protect the information that was out there.” The links WPXI provided to state officials in April were shut down shortly after inquiries about the problem. The health department in late May announced it would terminate the contract with Insight Global by the end of this month.
In interviews with Spotlight PA, several current and former Insight Global contact tracers described a chaotic, disorganized work environment exacerbated by a lack of communication between state health officials, the company, and its employees. Guidelines for conducting contact tracing calls changed frequently, and tracers were often not trained properly, they said.
Protocols for assigning and logging completed calls were inconsistent, and the platforms used to manage this information — at various points, a combination of Google Drive, Microsoft Forms, Salesforce, and Sharepoint — were glitchy, cumbersome, or not suitable for keeping the data organized and secure, the contact tracers said.
“I don’t think people at Insight Global were surprised that these things became public at all,” one former contact tracer told Spotlight PA, adding that the company was “well aware” that there were security issues.
The employees asked not to be identified in this report because they were not authorized to speak for the company and feared retaliation.
Both Insight Global, which is based in Atlanta, and the state health department are named in a federal lawsuit filed May 5 by an Allegheny County woman who was among those whose personal information was exposed. The lawsuit, which is seeking class-action status, alleges the company was aware of security weaknesses as early as November, and that the state was aware as early as February.
A Nov. 30 email from a contact tracer to an Insight Global operations manager attached to the lawsuit complaint outlines a range of security problems, including concerns about privacy violations, and the mishandling of personal health and employee information.
“We are overutilizing systems that were not provided for us, which presents many issues, as many features are unavailable/limited or not a safe way to handle sensitive information with employees personal email addresses (Google docs, sheets, email, slack, zoom),” the contact tracer wrote.