MAY 2, 2024. The United States announced that Insight Global LLC (Insight), an Atlanta-based staffing company, will pay $2.7 million to resolve allegations that the company violated the False Claims Act by failing to protect personal information obtained while contract tracing during the COVID-19 pandemic. The resolution of this case marks another victory under the Department of Justice’s Civil Cyber Fraud Initiative, launched in October 2021 to bolster the Department’s cybersecurity enforcement measures and hold accountable entities that fail to protect sensitive information or make false statements about their cybersecurity protocols.

During the COVID-19 pandemic, the Pennsylvania Department of Health contracted Insight to assist in the effort of contract tracing, paying them funds from the U.S. Centers for Disease Control and Prevention. The U.S. alleges that Insight failed to secure the private, personal health information of individuals subjected to contract tracing protocols, sharing such information in unencrypted emails and storing it in Google files that were not properly secured and were possibly accessible to the public. Insight’s staff also shared passwords to access this information, further risking the privacy of that information.

The United States further alleged that from November 2020 through January 2021, Insight staff submitted complaints to management regarding unsecure private information, yet such complaints were ignored. In April 2021, Insight finally reacted, investigating the claims and moving to secure the previously vulnerable information. Furthermore, they bolstered their security procedures and issued a public notice of the potential exposure, offering free identity protection services and credit monitoring to those affected. Additionally, the U.S. noted that Insight cooperated with their investigation into the matter.

The Principal Deputy Assistant Attorney General Head of the Justice Department’s Civil Division shared his thoughts on the case, stating that “The resolution announced today reflects our continuing commitment to ensure that government contractors fulfill their cybersecurity obligations … Failure to do so can compromise sensitive information of individuals and the government. The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.” As the DOJ emphasized with the launch of the Civil Cyber-Fraud Initiative, contractors who knowingly fail to comply with the cybersecurity requirements of their government contracts and/or timely report data breaches may run afoul of the False Claims Act.