Insight Global LLC, headquartered in Atlanta, has agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.
According to Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, "The resolution announced today reflects our continuing commitment to ensure that government contractors fulfill their cybersecurity obligations. Failure to do so can compromise sensitive information of individuals and the government. The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements."
U.S. Attorney Gerard M. Karam for the Middle District of Pennsylvania stated, "We will continue to work tirelessly here in the Middle District of Pennsylvania to make sure that those who do business with the government fulfill their commitments. Increasingly, cybersecurity is a critical part of most, if not all, federally funded contracts. We are thankful for the support of HHS-OIG and their assistance in investigating this case."
Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) emphasized, "Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable. HHS-OIG and our law enforcement partners remain dedicated to protecting the American public and the security of their personal health data."
The investigation into Insight Global was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act. The settlement in this case provides for the whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, to receive a $499,500 share of the settlement amount.
The settlement resolves allegations that from November 2020 through January 2021, Insight Global failed to secure personal health information obtained during COVID-19 contact tracing. The company received complaints from staff regarding the unsecure nature of the information but only started addressing the issue in April 2021. However, Insight Global took steps to remedy the situation by securing the information, investigating the cause and scope of the incident, strengthening internal controls, and offering free credit monitoring and identity protection services to those affected.
The claims resolved by the settlement are allegations only, and there has been no determination of liability.