Staffing Company to Pay $2.7M for Alleged Failure to Provide Adequate Cybersecurity for COVID-19 Contact Tracing Data

Insight Global LLC, headquartered in Atlanta has agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.

The United States alleged that during the COVID-19 pandemic, the Pennsylvania Department of Health hired Insight Global to provide staffing for COVID-19 contact tracing and paid Insight Global using funds from the U.S. Centers for Disease Control and Prevention. Insight Global understood that personal health information of contact tracing subjects needed to be kept confidential and secure, but it failed to do so. For example, certain personal health information and/or personally identifiable information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access such information, and such information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links.

The United States further alleged that from November 2020 through January 2021, Insight Global managers received complaints from Insight Global staff that such information was unsecure and potentially accessible to the public, but Insight Global failed to start remediating the issue until April 2021. At that point, Insight Global addressed the issue, including by securing such information, investigating the cause and scope of the incident, strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. Insight Global also cooperated with the United States' investigation.

"The resolution announced today reflects our continuing commitment to ensure that government contractors fulfill their cybersecurity obligations," said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division. "Failure to do so can compromise sensitive information of individuals and the government. The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements."

"We will continue to work tirelessly here in the Middle District of Pennsylvania to make sure that those who do business with the government fulfill their commitments," said U.S. Attorney Gerard M. Karam for the Middle District of Pennsylvania. "Increasingly, cybersecurity is a critical part of most, if not all, federally funded contracts. We are thankful for the support of HHS-OIG and their assistance in investigating this case."

"Contractors for the government who do not follow procedures to safeguard individuals' personal health information will be held accountable," said Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG). "HHS-OIG and our law enforcement partners remain dedicated to protecting the American public and the security of their personal health data."

On Oct. 6, 2021, the Deputy Attorney General announced the department's Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyber fraud can be found here.

The United States' investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery. The settlement in this case provides for the whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, to receive a $499,500 share of the settlement amount. The case is captioned United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.).

Senior Trial Counsel Albert P. Mayer of the Justice Department's Civil Division, Commercial Litigation Branch, Fraud Section and Assistant U.S. Attorney Tamara J. Haken for the Middle District of Pennsylvania handled this matter, with assistance from HHS-OIG.

The claims resolved by the settlement are allegations only. There has been no determination of liability.

Public link

Please use the above public link if you want to share this noodl on another website.