Contract tracing might be the best way to tamp down a viral outbreak in its early stages — find and isolate exposed people as soon as possible — but the technique also raises plenty of privacy concerns. Perhaps inevitably, those were realized recently when the Pennslyvania Department of Health announced a vendor had compromised Covid-19 contract tracing data on 72,000 residents.
The compromised information is very sensitive — it includes patients’ Covid exposure status and their sexual orientation, according to the Associated Press.
The vendor, Atlanta-based IT staffing company Insight Global, said in a statement that information the firm collected “may have been accessible to persons beyond authorized employees and public health officials.” The company blamed employees who created an “unauthorized collaboration channel” and set up several Google accounts for information sharing.
“Documents related to contact-tracing collection were included among the information that may have been vulnerable to access,” the firm said.
It’s unclear why Insight Global could have collected and stored information on sexual orientation. The firm did not mention that sexual orientation in its press release. Neither the Pennslyvania Health Department nor Insight Global responded to my inquiries about it.
“At this time, we believe the impacted information consisted of names of individuals who may have been exposed to COVID-19, whether they were positive or negative for COVID-19, if they experienced symptoms, information about number of members in household, and for certain individuals, email and telephone numbers and information to address any needs for specific social support services,” Global Insight said.
In traditional contract tracing, state or local health department employees call confirmed virus victims and, during interviews, build a list of contacts who might also have been exposed — then, those potentially sick people are contacted and urged to isolate. That means the conversations logged by Insight Global employees were highly intimate.
“Not so unexpected. Maybe a ‘small’ breach compared to others in size but no less potentially devastating to individuals who might be affected,” said Professor Ken Rogerson of Duke University.
Disclosure: Duke University is currently running a year-long study about the privacy implications of contract tracing. Rogerson is part of the study, and I am an advisor to the project.
To get a sense of how these contact tracing conversations are conducted, read this blog post by Duke student Joslin Coggan, who worked as a contact tracer. Or this post by students Paige Kleidermacher and Lily Li about patients’ experiences with contact tracing phone calls.
States had to ramp up contact tracing at breakneck speed; it’s easy to see how security and privacy issues might have been neglected during the pandemic’s early days, and more stories like this are to be expected. Global Insight said that employees mistreated the contact information they’d collected from September 2020 to April 21, 2021, however. By that time, extensive training and technology-imposed limits could have been put in place that prevented use of personal Google accounts to share intimate patient data.
“The leak of personal information at the Pennsylvania (Department of Health) is a perfect example of security measures not being prioritized. Our understanding is that contact tracing systems were established swiftly, given the pandemic and the need for response. However, not ensuring oversight and security could be seen as a critical misstep,” said Jon Clemenson, director of Information Security, at security firm TokenEx.
At the beginning of the pandemic, nations around the world rushed to set up high-tech contact tracing technology that would identify potentially exposed people via cell phone location. The system was highly controversial; Apple and Google collaborated on a technique that would theoretically allow phones to do this anonymously, via Bluetooth wireless technology. There is no indication that information collected via digital contact tracing was involved in the Pennslyvania data breach.
Still, the breach highlights the thorny relationship between the promise of agressive public health measures like contact tracing and their potential pitfalls. Even well-designed systems can be defeated by third-party vendors and rogue employees–particularly when systems and teams are hasilty assembled.
“Vendor management is a critical component of cybersecurity and privacy. As we see more use of private sector companies as service providers for government functions, it puts more importance on the due diligence that is done to approve the vendors and then the risk management processes to oversee their processing and handling of personal data,” said Prof. David Hoffman, also part of the contact tracing project at Duke. “The issues with Solarwinds showed recently how important it is to review providers of hardware, software and services to determine that they have the 3 Ps of accountability: Policies, Processes and People. Service providers need to be able to demonstrate that they have invested properly in the 3 Ps to be entrusted with sensitive personal data or to have their products operate on networks that contain sensitive information.”