Staffing Company Agrees to $2.7M Settlement for Alleged Cybersecurity Lapses in COVID-19 Contact Tracing

Insight Global LLC, a prominent staffing firm headquartered in Atlanta, has reached a $2.7 million settlement to resolve allegations of violating the False Claims Act due to inadequate cybersecurity measures during COVID-19 contact tracing efforts. The settlement, announced by the Department of Justice (DOJ), marks a significant step in ensuring government contractors fulfill their cybersecurity obligations, particularly in handling sensitive health information.

The United States alleged that during the height of the COVID-19 pandemic, Insight Global was contracted by the Pennsylvania Department of Health to provide staffing for contact tracing, funded by the U.S. Centers for Disease Control and Prevention (CDC). Despite the understanding of the critical need to keep personal health information confidential and secure, Insight Global purportedly fell short in safeguarding this data.

Alarming details emerged during the investigation, revealing instances where personal health information and personally identifiable information were transmitted via unencrypted emails, staff used shared passwords for access, and information was stored and transmitted using unprotected Google files potentially accessible to the public. Complaints from Insight Global staff regarding these security lapses were reportedly raised between November 2020 and January 2021, but remedial actions were not initiated until April 2021.

Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the DOJ's commitment to holding contractors accountable for fulfilling cybersecurity requirements, citing the potential compromise of sensitive information for individuals and the government. U.S. Attorney Gerard M. Karam for the Middle District of Pennsylvania echoed this sentiment, underlining the criticality of cybersecurity in federally funded contracts.

Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) stressed the importance of safeguarding personal health information, asserting that contractors failing to adhere to such procedures will face consequences.

The settlement stems from a lawsuit filed under the whistleblower provisions of the False Claims Act. Terralyn Williams Seilkop, a former Insight Global staff member involved in the contact tracing efforts, will receive a share of the settlement amounting to $499,500.

The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, underscores the department's commitment to holding entities accountable for cybersecurity lapses, misrepresentations, or violations.

In response to the investigation, Insight Global undertook corrective measures, including securing sensitive information, enhancing internal controls, and issuing public notices regarding the incident's scope. The company also cooperated with the government's inquiry.

As cybersecurity continues to be a paramount concern, particularly in handling sensitive health data, this settlement sends a clear message about the importance of stringent cybersecurity protocols, especially for government contractors entrusted with such critical responsibilities.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.