In the latest settlement announced by DOJ under its Civil Cyber-Fraud Initiative, Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH).
The United States alleged that during the COVID-19 pandemic, PADOH hired Insight Global to provide staffing for COVID-19 contact tracing and paid Insight Global using funds from the U.S. Centers for Disease Control and Prevention. Insight Global understood that personal health information of contact tracing subjects needed to be kept confidential and secure, but it failed to do so.
Despite contractual requirements to keep personal information related to the services provided "confidential and secure" and comply with federal PHI safeguarding obligations, DOJ alleged that:
- PHI and PII of contact tracing subjects was transmitted in the body of unencrypted emails,
- Insight staff used shared passwords to access such information,
- Information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links,
- Insight failed to provide adequate data security resources and training, and
- Insight ignored staff complaints about unsecure PHI/PII.
While state agency contracts typically do not fall within the scope of the FCA, PADOH used federal funds from the Centers for Disease Control and Prevention (CDC) to pay Insight, bringing the contract within the FCA's purview. This is the second FCA Civil Cyber-Fraud settlement grounded in a state level contract. Thus, companies contracting with state governments must be aware of the possibility of FCA liability and must prioritize cybersecurity compliance.
The qui tam complaint which initiated this case was filed by Insight's former Business Intelligence Reporting Manager. DOJ partially intervened in the relator's claims, and the relator will receive a share award of nearly $500,000, evidencing both DOJ's inclination to rely on whistleblowers as well as the financial incentives available to insiders with pertinent information. Further, as DOJ regularly points to a failure to remedy cybersecurity vulnerabilities when raised in complaints by employees as part of its alleged FCA violations, businesses must take these compliance complaints seriously.
With a continuous and rapid rise in cyber-attacks, class action suits over improper data protection practices, and government enforcement actions where companies are held liable for fraud based on improper cybersecurity and data protection practices, proactive compliance with privacy and cybersecurity laws is imperative. Particularly when doing business with the government, companies must ensure they are in compliance, both to avoid costly litigation and to build consumer trust.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.