Skip to content
Link copied to clipboard
Link copied to clipboard

The Philly Fighting COVID disaster was also a huge data and privacy warning | Opinion

Philadelphia should create a mandatory standard privacy policy for all contractors.

The City Council seal was included on Philly Fighting COVID's vaccine registration website, where many Philadelphians submitted personal health information until the city severed the partnership.
The City Council seal was included on Philly Fighting COVID's vaccine registration website, where many Philadelphians submitted personal health information until the city severed the partnership.Read moreScreenshot

In debating the Reconstruction Acts of 1867, congressman, soldier, and lawyer John Franklin Farnsworth said, “The first duty of the government is to afford protection to its citizens.”

This is as true today as it was in those fragile and perilous times. But in the Philly Fighting COVID debacle, the city failed in this first duty — not just for public health, but also regarding data and privacy.

One of the revelations that led to the city severing its partnership with PFC to administer vaccines was that the contractor was playing fast and loose in protecting against third-party data aggregators. This error cost Philadelphians two precious rights: privacy around personal health and trust in the system. While the company CEO Andrei Doroshin promised not to sell Philadelphians’ personal data collected by the company, they still have the option.

Philly in this case followed the lead of the federal government, which had already lowered the requirement of the Health Insurance Portability and Accountability Act, or HIPAA, such that personal electronic data about COVID-19 is being shared to quell its spread. As reasonable as this seems from a public health perspective, it was inevitable without further clarification that third parties could end up using our personal data for other purposes — or even profiting from it.

» READ MORE: What you need to know if you signed up for Philly Fighting COVID’s pre-registration site before the city cut ties

Mired in bureaucracy, cities and towns across the nation are scrambling on their own to figure out the mammoth task of vaccinating over 300 million people. It’s understandable that they will make mistakes. But vetting the security of contractors’ websites is an easy fix. While certain HIPAA regulations were loosened during the pandemic, with the flood of health data being asked for on digital sites, the need to tighten cyber privacy protections should not be difficult to anticipate or to make happen.

What can Philadelphia’s government do better moving forward? It can engage in better procurement and contract management, for which City Council is introducing new legislation. On the data and privacy front, a few simple steps can be implemented at low cost, but with a premium of common sense.

Creating a mandatory standard privacy policy for all contractors is a first step. It must include prohibiting vendors from selling health data to third parties. The Information Security Team at Philadelphia’s Department of Innovation and Technology, for example, is an entity that might take the lead in developing security policies and procedures. In the case of PFC, the vendor was allowed to write its own privacy policy. This is unacceptable.

Each vendor’s platform, once launched, should be checked for security by an equally tech-savvy city agency. Skilled experts have the know-how to think through the possible risks and ensure that the city works with prospective providers to mitigate them.

At the state level, the Commonwealth of Pennsylvania must pass strong cyber privacy laws similar to California’s landmark Consumer Privacy Act of 2018. There, residents have the legally protected right to know what personal information a business collects and how they use and share it. They also have the right to opt out of the sale of personal data and are protected from discrimination in exercising their rights. A consumer privacy act, HB 1049, introduced in Pennsylvania in 2019, died in committee. Politicians must rally to push this through.

In the meantime, if city personnel are so overwhelmed that they can’t perform adequate contract management, they must seek help. Why not convene a cyber crisis team to help create and enforce best practices? The National League of Cities and U.S. Conference of Mayors, for example, exist to tackle problems like this, including lobbying for change. They’re part of the so-called “Big Seven” of influential groups that exist to support local government.

» READ MORE: Baltimore County schools shut down after a cyberattack. The same could happen in Philly. | Opinion

Using this rubric — required a city-drafted cyber privacy policy, website testing by city IT departments, and, if needed, convening a team of advisory experts — PFC would never have been picked as the first vaccine provider. The good news is other entities, such as the Black Doctors COVID-19 Consortium, should qualify.

In addition to patient privacy, there’s another reason to avoid such mistakes: trust. As of a December report, nearly 40% of the United States population said they were unlikely to get COVID-19 vaccinations. That indicates a low rate of vaccine confidence and acceptance. Failed systems like Philly Fighting COVID undermine faith in the integrity of American health-care systems, and in doing so, they only compound the danger our nation faces as we struggle to end the pandemic.

Just as Reconstruction addressed the need to protect the rights of the freedmen, we have a duty to shield Americans from predatory practices that impinge on our freedoms — including the freedom of privacy.

Heidi Boghosian is an attorney and author of the forthcoming “‘I Have Nothing to Hide’ and 20 Other Myths about Surveillance and Privacy” (Beacon Press).