Staffing Company to Pay $2.7 Million for Alleged Failure to Provide Adequate Cybersecurity for COVID-19 Contact Tracing Data

HARRISBURG - Insight Global LLC, headquartered in Atlanta, Georgia, has agreed to pay $2,700,000 to resolve allegations that it violated the False Claims Act by failing to provide adequate cybersecurity to protect health information obtained during COVID-19 contact tracing.

The United States alleged that during the COVID-19 pandemic, the Pennsylvania Department of Health hired Insight Global to provide staffing for COVID-19 contact tracing, and paid Insight Global using funds from the U.S. Centers for Disease Control and Prevention. Insight Global understood that personal health information of contact tracing subjects needed to be kept confidential and secure, but it failed to do so. For example, certain personal health information and/or personally identifiable information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access such information, and such information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links.

The United States further alleged that from November 2020 through January 2021, Insight Global managers received complaints from Insight Global staff that such information was unsecure and potentially accessible to the public, but Insight Global failed to start remediating the issue until April 2021. At that point, Insight Global addressed the issue, including by securing such information, investigating the cause and scope of the incident, strengthening internal controls and procedures, adding more data-security resources, and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. Insight Global also cooperated with the United States' investigation.

"The resolution announced today reflects our continuing commitment to ensure that government contractors fulfill their cybersecurity obligations," said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division. "Failure to do so can compromise sensitive information of individuals and the government. The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements."

"We will continue to work tirelessly here in the Middle District of Pennsylvania to make sure that those who do business with the government fulfill their commitments," said United States Attorney Gerard M. Karam. "Increasingly, cybersecurity is a critical part of most, if not all, federally funded contracts. We are thankful for the support of HHS-OIG and their assistance in investigating this case."

"Contractors for the government who do not follow procedures to safeguard individuals' personal health information will be held accountable," said Maureen R. Dixon, Special Agent in Charge with the Department of Health and Human Services, Office of Inspector General (HHS-OIG). "HHS-OIG and our law enforcement partners remain dedicated to protecting the American public and the security of their personal health data."

On October 6, 2021, the Deputy Attorney General announced the Department's Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyber fraud can be found here.

The United States' investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery. The settlement in this case provides for the whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, to receive a $499,500 share of the settlement amount. The case is captioned United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.).

This matter is being handled by Senior Trial Counsel Albert P. Mayer of the Justice Department's Civil Division, Commercial Litigation Branch, Fraud Section, and Assistant United States Attorney Tamara J. Haken of the United States Attorney's Office for the Middle District of Pennsylvania, with assistance from the Department of Health and Human Services' Office of Inspector General.

The claims resolved by the settlement are allegations only, and there has been no determination of liability.

# # #