Penn. Dept. of Health, Insight Global Hit with Class Action Over Data Breach Linked to COVID-19 Contact Tracing

New to ClassAction.org? Read our Newswire Disclaimer

Pennsylvania’s Department of Health and staffing company Insight Global, Inc. face a proposed class action over a recent cyberattack and data breach said to have compromised the private health information of state residents either diagnosed with or found to have been in proximity to someone diagnosed with COVID-19. 

The 27-page lawsuit alleges the Pennsylvania DOH and Atlanta-based Insight are directly to blame for the breach, which, per the suit, stemmed from the defendants’ failure to implement “adequate and reasonable” cybersecurity procedures and protocols. According to the case, the defendants have failed to properly secure and safeguard certain Pennsylvania residents’ information and fallen short of industry standards, as well as failed to provide “timely, accurate, and adequate notice” to those affected by the incident. 

“DOH was notified of this breach as early as February 2021,” the lawsuit reads. “Neither DOH nor Insight took any action to secure the [personal health information] of Plaintiff or other class members until at least April 21, 2021.” 

Insight was contracted by the DOH at the beginning of 2020 to perform contact tracing analysis and other services for the state, the case says. Per the lawsuit, Insight went through no competitive bidding process for the approximately $23 million contract with Pennsylvania. The case adds that the DOH, at all relevant times, assured proposed class members that “all communication related to contact tracing is private and confidential,” and that “your information will stay confidential.” 

Information collected by the defendants over 2020 and 2021 for contact tracing purposes included Pennsylvania residents’ names, genders, phone numbers, sexual orientation, gender presentation, family size and other health details, the lawsuit says. The complaint alleges Insight maintained this data in “unsecure spreadsheets, databases, and/or documents” containing the personal health details of “tens of thousands” of proposed class members. 

“These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” the suit alleges, charging that Insight was aware that employees were using unsecure data storage and communication methods “as early as November 2020.”

The complaint relays that neither of the defendants took any action to notify those affected by the data breach until at least April 29.

According to the suit, the COVID-19 test result information obtained by the DOH is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Insight, the case says, qualifies as a “business associate” of the department under the law, and as such was required to establish and maintain appropriate data safeguards. 

Although the Pennsylvania DOH and Insight have acknowledged the sensitive and confidential nature of COVID-19 contact tracing information, the entities failed to take “appropriate or even the most basic steps” to protect the data, the lawsuit claims, asserting that those affected by the incident now face a heightened risk of fraud, identity theft and use of their personal information by myriad unauthorized parties. 

The lawsuit looks to represent all persons in the United States whose personal health information was compromised in the data breach disclosed by the Pennsylvania Department of Health and Insight between March 16, 2020 and April 29, 2021. The case also proposes to cover a “subclass” that includes persons in Pennsylvania who fit the same criteria. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.