Insight Global, LLC recently settled claims that its government contracts suffered cybersecurity failures. The cyber failures related to COVID-19 contact tracing. Insight, a staffing company based in Atlanta, will pay $2.7 million to resolve the allegations.
Insight Global’s Contract with Pennsylvania Department of Health
In the wake of the pandemic, contact tracing emerged as a critical tool in controlling the spread of the virus. Contact tracing is the identification of individuals who were exposed to someone with COVID-19 so they may be tested, treated and/or quarantined, if appropriate.
In July 2020, the Pennsylvania Department of Health contracted with Insight to provide staffing for COVID-19 contact tracing. The U.S. Centers for Disease Control funded the $23 million contract using federal funds. Federal contract regulations obligated Insight to comply with certain cybersecurity requirements. Specifically, the contract required Insight to create computer systems capable of securely storing and managing patients’ protected health information (PHI) and personal identifiable information (PII). Insight’s cybersecurity practices, however, fell short. The complaint alleged that Insight did not have in place, nor intend to purchase, computer software and other security systems sufficient to prevent unauthorized access to PHI and PII. The government contends Insight violated the False Claims Act when it submitted claims for payment for its services, knowingly falsifying that it had fulfilled its obligations under the contract.
Insight Global’s Failures Brought to Light
In July 2021, an Insight employee filed a whistleblower complaint under the qui tam provisions of the False Claims Act. According to the complaint, between November 2020 and January 2021, Insight received internal complaints regarding its insecure handling of confidential health information. Specifically, Insight employees allegedly transmitted personally identifiable health data via unencrypted emails, accessed it using shared passwords, and stored the data on unprotected files potentially accessible to the public. It did not take corrective action, however, until April 2021. In April 2021, Insight finally took remedial steps, including securing information, investigating incidents, and bolstering internal controls.
The Government Holds Contractors Accountable
Subsequent to the filing of the whistleblower’s complaint, the government launched the Civil Cyber-Fraud Initiative in October 2021. The initiative was created to address new and emerging cyber threats to the security of sensitive information and critical systems. Additionally, the Initiative encouraged the use of False Claims Act as a mechanism to detect and prevent suspected cyber fraud by government contractors.
In announcing the settlement, the U.S. Attorney reiterated that government contractors who fail to safeguard sensitive information will be held accountable.
We will continue to work tirelessly here in the Middle District of Pennsylvania to make sure that those who do business with the government fulfill their commitments. Increasingly, cybersecurity is a critical part of most, if not all, federally funded contracts.
-U.S. Attorney Gerard M. Karam for the Middle District of Pennsylvania.
Cybersecurity requirements for government contractors are only going to get more stringent. In fact, the National Institute for Standards and Technology (NIST), which establishes the rules governing the handling of sensitive information, has just issued updated guidelines. Government contractors who fail to heed these guidelines may face False Claims Act lawsuits.
We Help Whistleblowers Report Cybersecurity Failures Under the False Claims Act
If you know a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us for a confidential consultation. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information.
