When poor vendor vetting leads to exposed health data

Thank you for subscribing to the reader-sponsored edition of the twice-weekly Parallax View newsletter. If you are a legacy subscriber of The Parallax View, we are so grateful for your support over the past six years that we have gifted you a premium subscription. If you like our reporting, please share it! This project depends and thrives on your contributions.

If you're a new subscriber to our newsletter, welcome to The Parallax View. Thank you for your support! The free edition of The Parallax View lands in your inbox on Tuesdays and the reader-sponsored edition on Fridays. If you'd like to support us in other ways, please email seth@the-parallax.com.

A data breach that exposed the Covid-19 status and other personal health information of 72,000 Pennsylvania residents was an avoidable time bomb, experts say, if the state had properly vetted a vendor.

Pennsylvania’s Health Department contracted with Atlanta-based tech staffing company Insight Global to develop a Covid-19 contact-tracing system in March 2020, hiring approximately 1,000 people as contact tracers, for $23 million. (That figure has since been reported as high as $28.7 million.)

Pittsburgh-based WPXI reported in February, long before word of a data breach had dribbled out, that the software built to manage the personal health information, or PHI, of the Pennsylvania residents contacted was buggy, prompting at least one person to be contacted 17 times. The software made it difficult to add new contacts, yet it enabled multiple employees to simultaneously access and change data in a single record, the report stated.