Pennsylvania COVID-19 Data Breach Highlights Privacy Concerns for State Run Tracking Apps
A person’s digital privacy is essential in today’s information age. People should be vigilant about who has access to their data. During this COVID-19 pandemic, some have voluntarily provided health information, such as posting selfies with their vaccine information to social media or downloading a state-sponsored COVID-19 tracing app.
According to a local news outlet, a whistleblower working for a government contractor forwarded concerns about a vulnerability to the Pennsylvania Department of Health’s Office of Legal Counsel, which responded that they “forwarded [the] inquiry to our legal management team.” The data breach in question led to “more than 70,000 Pennsylvanians having their personal information accessible on the internet.” The information leaked included names, phone numbers, email addresses, and COVID-19 diagnoses or exposures.
Unfortunately, in Pennsylvania, the executive branch did not seem to take the concerns too seriously. When a state legislator brought the concerns to the Governor’s office, the governor pledged to investigate, and reported the claims were determined to be false. Only after news of the data breach hit the press did the Department of Health start addressing the vulnerability.
This story illustrates considerations ALEC highlighted last year that state policymakers should think through with respect to government-run contact tracing apps. Chief among the considerations listed was “how much privacy users can expect.”
The Fourth Amendment to the United States Constitution and analogue state constitutions exist to limit government access to a person’s information. Federal standards like the Health Insurance Portability and Accountability Act (HIPAA) further restrict how certain types of personal information—in this case health information—must be handled.
Governments have no competitors, unlike the private sector. For contact tracing apps, while smartphone manufacturers worked with governments, ultimately, the governments controlled development and distribution. As stewards of taxpayer funds, governments should be vigilant when signing contracts and selecting vendors. When governments fail to be vigilant, the taxpayer is on the hook if bad actors access the confidential, personal information. For the contact tracing apps, as listed in the previous ALEC article, policymakers should ask the executive and any vendor certain questions, including:
- What steps have the state and developers taken to secure the app from bad actors? What cybersecurity measures are in place? How has the security of the app been audited? Has the state contracted with third parties to test the security of the app and data collected?
- What type of information can state health officials access from the app? Has the state drafted best practices for data collection, anonymization, retention, security, and sharing? Is the data anonymized? How is the data anonymized? Can the data ever be linked to specific users? Will the third parties who helped develop the app have access to the data? Will any other third-party have access to the data?
- What are the state’s policies for deleting the data? How is the data deleted? If third parties have access to the data, how will the state ensure that they delete the data?
Government should guard personal information zealously. When the government takes a cavalier attitude toward privacy and fails to heed warnings from vendors, it places the identities of citizens at severe risk of misuse and abuse.