Staffing Company to Pay $2.7M for Alleged Failure to Provide
Adequate Cybersecurity for COVID-19 Contact Tracing Data
Wednesday, May 1,
2024
Office of Public Affairs
Insight Global LLC, headquartered in Atlanta has agreed to
pay $2.7 million to resolve allegations that it violated the False Claims Act
by failing to implement adequate cybersecurity measures to protect health
information obtained during COVID-19 contact tracing.
The United States
alleged that during the COVID-19 pandemic, the Pennsylvania Department of
Health hired Insight Global to provide staffing for COVID-19 contact tracing
and paid Insight Global using funds from the U.S.
Centers for Disease Control and Prevention. Insight Global understood that
personal health information of contact tracing subjects needed to be kept
confidential and secure, but it failed to do so. For example, certain personal
health information and/or personally identifiable information of contact
tracing subjects was transmitted in the body of unencrypted emails, staff used shared
passwords to access such information, and such information was stored and
transmitted using Google files that were not password protected and were
potentially accessible to the public via internet links.
The United States
further alleged that from November 2020 through January 2021, Insight Global
managers received complaints from Insight Global staff that such information
was unsecure and potentially accessible to the public, but Insight Global
failed to start remediating the issue until April 2021. At that point, Insight
Global addressed the issue, including by securing such information,
investigating the cause and scope of the incident, strengthening internal
controls and procedures, adding more data-security resources and issuing a
public notice regarding the scope of the potential exposure and offering free
credit monitoring and identity protection services to those affected. Insight
Global also cooperated with the United States’
investigation.
“The resolution announced today reflects our continuing
commitment to ensure that government contractors fulfill their cybersecurity
obligations,” said Principal Deputy Assistant Attorney General Brian M.
Boynton, head of the Justice Department’s Civil Division. “Failure to do so can
compromise sensitive information of individuals and the government. The Justice
Department will hold accountable those contractors who knowingly fail to
satisfy cybersecurity requirements.”
“We will continue to work tirelessly here in the Middle
District of Pennsylvania to make
sure that those who do business with the government fulfill their commitments,”
said U.S.
Attorney Gerard M. Karam for the Middle District of Pennsylvania.
“Increasingly, cybersecurity is a critical part of most, if not all, federally
funded contracts. We are thankful for the support of HHS-OIG and their
assistance in investigating this case.”
“Contractors for the government who do not follow procedures
to safeguard individuals’ personal health information will be held
accountable,” said Special Agent in Charge Maureen R. Dixon of the Department
of Health and Human Services Office of Inspector General (HHS-OIG). “HHS-OIG
and our law enforcement partners remain dedicated to protecting the American
public and the security of their personal health data.”
On Oct. 6, 2021, the Deputy Attorney General announced the
department’s Civil Cyber-Fraud Initiative, which aims to hold accountable
entities or individuals that put sensitive information at risk by knowingly
providing deficient cybersecurity products or services, knowingly
misrepresenting their cybersecurity practices or protocols, or knowingly
violating obligations to monitor and report cybersecurity incidents.
Information on how to report cyber fraud can be found here.
The United States’
investigation was prompted by a lawsuit filed under the whistleblower
provisions of the False Claims Act, which permit private parties to sue on
behalf of the government when they believe that defendants submitted false
claims for government funds and to receive a share of any recovery. The
settlement in this case provides for the whistleblower, Terralyn Williams
Seilkop, a former Insight Global staff member who worked on the contact tracing
at issue, to receive a $499,500 share of the settlement amount. The case is
captioned United States
ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.).
Senior Trial Counsel Albert P. Mayer of the Justice
Department’s Civil Division, Commercial Litigation Branch, Fraud Section and
Assistant U.S. Attorney Tamara J. Haken for the Middle District of Pennsylvania
handled this matter, with assistance from HHS-OIG.
The claims resolved by the settlement are allegations only.
There has been no determination of liability.