Insight Global, a staffing firm that conducted COVID-19 contact tracing in Pennsylvania, has agreed to pay $2.7 million in a settlement with the Department of Justice after exposing the private medical information of approximately 72,000 residents. Employees of the firm stored this sensitive data on unauthorized Google accounts that were easily accessible online, in violation of the company’s contract with the state to safeguard such information. The Pennsylvania Department of Health had hired Insight Global to administer the state’s contact tracing program during the peak of the pandemic, and the company was responsible for identifying and reaching out to individuals who had been exposed to the coronavirus.
The whistleblower in the case, a former Insight Global contractor, alerted company management to the potential breach of residents’ health information. Despite initial pleas from the whistleblower to secure the data, Insight Global allegedly prioritized hiring large numbers of workers over investing in necessary computer security systems. It took the company five months to address the issue and begin securing the protected medical information of residents. The whistleblower is set to receive nearly $500,000 from the settlement, which was announced by Maureen R. Dixon, head of the inspector general’s office at the U.S. Department of Health and Human Services.
Insight Global has acknowledged mishandling sensitive information and has issued an apology for the data breach. The company claimed that it was only after the breach came to light that they became aware of the unauthorized Google accounts that had been set up by employees for sharing information. The settlement with the Department of Justice marks a significant financial penalty for the staffing firm, as well as a public acknowledgment of the severity of the breach and the importance of safeguarding individuals’ personal health information. The company, which has offices in the U.S., Canada, and the U.K., will need to implement stricter data security measures to prevent future incidents.
State health officials in Pennsylvania terminated Insight Global’s contract in 2021 once they became aware of the data breach. The firm had initially secured the contract with the state despite lacking adequate cybersecurity measures and secure computer systems. The controversy surrounding the mishandling of residents’ private medical information highlights the potential risks associated with outsourcing sensitive data to contractors who may not prioritize data security. The settlement and whistleblower lawsuit serve as a reminder that contractors working for the government must adhere to strict procedures to protect individuals’ personal health information or face consequences for non-compliance.
The settlement with the Department of Justice underscores the need for accountability among government contractors responsible for handling sensitive medical information. Maureen R. Dixon emphasized the importance of contractors following procedures to safeguard such data and reaffirmed that those who fail to do so will be held accountable. The significant financial penalty imposed on Insight Global serves as a warning to other contractors about the consequences of neglecting proper data security measures. The resolution of this case signals a commitment to protecting individuals’ privacy and personal health information, particularly in the context of public health crises like the COVID-19 pandemic.