On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services. Although contracts with state agencies generally fall outside the FCA's ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA's scope.
This is the second settlement under DOJ's Civil Cyber-Fraud Initiative that was initiated by a qui tam complaint, this time filed in July 2021 by Insight's former Business Intelligence Reporting Manager responsible for managing data created by contact tracers interacting with Pennsylvania residents. See United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). In April 2024, DOJ elected to partially intervene in the relator's claims for the purpose of effectuating the settlement agreement. The relator will receive nearly $500,000 as a relator's share award.
The contract with PADOH required Insight to, among other things, (i) ensure that PHI and all other information related to the services provided would be "kept confidential and secure"; (ii) use secure devices in performing the contract; and (iii) comply with federal PHI safeguarding obligations. DOJ alleged that Insight violated these provisions because Insight allowed its staff to:
- receive PHI/PII in unencrypted emails, including emails sent by government personnel;
- share passwords to access PHI/PII; and
- store and transmit PHI/PII via publicly-accessible Google documents.
In addition, DOJ alleged that Insight failed to:
- provide adequate data security resources and training; or
- promptly respond to staff complaints reporting that PHI/PII was unsecure.
Notably, the government claimed that Insight's management received complaints from staff that PHI and PII were unsecure and potentially accessible to the public beginning in November 2020, but Insight failed to promptly remediate this issue—waiting until April 2021 to take proactive measures. Insight did not admit liability and denied the government's allegations set forth in the settlement agreement.
Key Takeaways
- This is the second public FCA Civil Cyber-Fraud settlement based on a state-level contract (the first was Jelly Bean Communications Design LLC, announced by DOJ in March 2023). Accordingly, entities contracting with state governments should be proactive in ensuring that they comply with all cybersecurity obligations, especially where federal dollars are used to fund the program.
- Despite acknowledging that Insight cooperated with the investigation and made efforts to remediate its alleged cybersecurity violations after receiving DOJ's Civil Investigative Demand (CID), it does not appear that DOJ rewarded Insight with any significant "cooperation credit" in the settlement. The $2.7 million total, including $1.35 million in restitution, reflects the 2x single damages (i.e., restitution) multiplier that is typically applied to FCA settlements.
- DOJ continues to show that it will rely on whistleblowers and use the Civil Cyber-Fraud Initiative to prioritize FCA enforcement as a mechanism to hold government contractors accountable for failing to comply with cybersecurity requirements.
- Government contractors may be able to reduce enforcement risks by promptly deploying additional resources, training personnel, and implementing or enhancing security controls, to remediate potential cybersecurity noncompliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.