Tens of thousands of Pennsylvanians health data exposed following data breach
Coronavirus tracing company is at the heart of the exposure

A data breach at a coronavirus contact tracing company has exposed the personal health information of tens of thousands of Pennsylvanians.
According to a report from the Pittsburgh Post-Gazette, officials at Pennsylvania’s Department of Health alleged that employees at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system.
In an email, the agency’s spokesman Barry Ciccocioppo said "we are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals."
He added that the state’s computer systems, including Pennsylvania's contact tracing app, were not implicated. The exposed information included names, phone numbers, emails, genders, ages, sexual orientations, and COVID-19 diagnoses and exposure status.
WPXI-TV in Pittsburgh first reported the data breach. Former employees of Insight Global told the TV station they told supervisors that information had been improperly secured, but the company took no action. A spokesperson for Insight told WPXI that contract tracing information "may have been made accessible to persons beyond authorized employees and public health officials."
Pennsylvania will not be renewing the company’s contract, which expires in three months. Free credit monitoring and identity protection services will be available to affected people.
Trevor J. Morgan, product manager at Comforte AG, told ITPro the situation is a cautionary tale. Whether through contractual obligation or regulatory mandate, enterprises working with sensitive data need to meet the acceptable threshold of data security.
Get the ITPro. daily newsletter
Sign up today and you will receive a free copy of our Focus Report 2025 - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“However, vendors can’t trust that sensitive data such as PHI will always remain protected if it travels outside protected perimeters because data is vulnerable even when resting within the security perimeters,” he said.
Morgan added that when data is on the move, it is especially prone to mishandling and compromise, which means that a more data-centric approach to security should be part of those minimum data security standards.
“Data-centric security such as tokenization and format-preserving encryption replaces sensitive data with benign representational information, so even if it falls into the wrong hands the data cannot be compromised by the wrong parties. For more and more regulatory agencies and individual enterprises, data-centric security measures are now part of minimum data security standards because of the ability to protect data even while in motion,” he added.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.

‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breach

3.3 million people were exposed in the DISA data breach – it took the firm 10 months to disclose the incident