Insight Global LLC, based in Atlanta, has reached a $2.7 million settlement to resolve allegations of violating the False Claims Act by failing to implement adequate cybersecurity measures during COVID-19 contact tracing efforts.
The United States government asserted that during the pandemic, the Pennsylvania Department of Health engaged Insight Global to provide staffing for COVID-19 contact tracing, using funds from the U.S. Centers for Disease Control and Prevention (CDC).
Despite being aware of the need to maintain confidentiality and security of personal health information obtained during contact tracing, Insight Global reportedly failed to do so.
Instances of concern included the transmission of personal health information in unencrypted emails, the use of shared passwords to access sensitive data, and the storage and transmission of information through unprotected Google files that could potentially be accessed by the public.
The government further alleged that Insight Global managers received complaints from staff about the insecure handling of information between November 2020 and January 2021 but failed to address the issue until April 2021.
Remedial actions were taken at that time, including securing the information, investigating the incident’s cause and scope, enhancing internal controls and procedures, allocating additional data-security resources, and issuing a public notice regarding the potential exposure. Insight Global also cooperated with the government’s investigation.
Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of government contractors fulfilling their cybersecurity obligations to safeguard sensitive information. U.S. Attorney Gerard M. Karam for the Middle District of Pennsylvania stressed the critical role of cybersecurity in federally funded contracts.
Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) underscored the commitment to holding contractors accountable for protecting individuals’ personal health information.
The investigation stemmed from a lawsuit filed under the whistleblower provisions of the False Claims Act. As part of the settlement, Terralyn Williams Seilkop, a former Insight Global staff member involved in the contact tracing, will receive a share of $499,500.
The settlement aligns with the Department of Justice’s Civil Cyber-Fraud Initiative, aimed at addressing deficient cybersecurity practices by entities or individuals handling sensitive information.
Senior Trial Counsel Albert P. Mayer of the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and Assistant U.S. Attorney Tamara J. Haken for the Middle District of Pennsylvania managed the case, with assistance from HHS-OIG.