PA Health Dept Sued; Investigation Looms, After Contact Tracing Breach

"The PA health dept. is being sued, after employees of its vendor Insight Global set up an unsecured channel to share COVID-19 contact tracing data, exposing the PHI of 72,000 individuals."

Why this is important: The alleged exposure of COVID-19 contact tracing data is what is grabbing the headlines in this article, but it is the root cause that should cause readers to sit up and take notice. Employees of Pennsylvania’s vendor allegedly took data from internal systems and transferred it to Google’s online productivity suite for sharing and collaboration—leaving it unsecured and accessible by the public. This use of unapproved technologies by employees is often referred to as “shadow IT” because employers are often not aware of their use. And as the allegations here indicate, it can cause significant headaches for companies that find themselves subject to potential liability when those shadow IT systems violate legal requirements or lead to a data breach. This case therefore serves as a good reminder for employers to train their employees on the use of approved technologies and the avoidance of others.