Protecting personal information with data security is growing in importance as fines from data privacy regulations are becoming more costly. More organizations are collecting consumer data, employee data, and even COVID-19 contact tracing data that was unfortunately compromised in a recent breach. The recent breach gave bad actors access to Pennsylvania COVID-19 exposure status and other sensitive personal information of over 72,000 residents. 

According to reports, a vendor that collected COVID-19 contact tracing data stored data in an unsecured environment. You may be thinking, “How could this happen?” Employees of the provider reportedly set up unauthorized Google accounts to share COVID-19 symptoms, household data, and, at times, email addresses and phone numbers. 

According to a statement by Pennsylvania Department of Health spokesman Barry Ciccocioppo, “Insights Global disregarded security protocols established in the contract and created unauthorized documents.”   

 It is critical that organizations processing COVID-19-related data (e.g., contact tracing, COVID-19 test and vaccination statuses, and temperature information) handle the data with extreme care. This type of data does not fall under privacy protection regulations such as the California Consumer Privacy Rights Act, the Consumer Data Protection Act, or in some cases the Health Information Portability and Accountability Act because this information is unlike other types of sensitive data. In the future, it is possible that we could see more litigation around COVID-19 data, due to the rapid rollout of temperature checks approved by the Occupational Safety and Health Administration in the workplace. 

Breaches like this could be better mitigated by properly vetting third parties and reviewing their data protection policies. A comprehensive plan should include identity and access management to define and manage roles of those who have access to sensitive information within an organization to prevent unauthorized sharing and access to sensitive data. 

Did management outline data management policies with its employees? Were the proper data protection measures in place to ensure that encryption was in place? Was there a data loss plan and, at a minimum, a breach response plan in place? These are questions that organizations must think about when working with a third party to intake and manage sensitive data — especially data associated with COVID-19. Learn more about the cybersecurity measures we recommend to reduce your organization’s chances of a data breach in our whitepaper: Privacy Is Hard To Enact Without Security.