Insight Global, a staffing firm that conducted COVID-19 contact tracing for the state of Pennsylvania, has agreed to pay $2.7 million in a settlement with the Department of Justice. This comes after employees of the firm stored the private medical information of around 72,000 Pennsylvanians on unauthorized and easily accessible Google accounts. Government contractors who fail to follow procedures to protect individuals’ personal health information will be held accountable, according to Special Agent in Charge Maureen Dixon.
The Pennsylvania Department of Health had hired Insight Global to administer the state’s contact tracing program during the peak of the pandemic, paying the company tens of millions of dollars. However, employees used unauthorized Google accounts to store private information about residents who had been reached for contact tracing, despite the company’s contractual obligation to safeguard such data. Insight Global was eventually fired by state health officials in 2021 after the data breach was discovered, leading to a federal whistleblower lawsuit alleging that the company lacked secure computer systems and adequate cybersecurity.
A former Insight Global contractor who blew the whistle on the mishandling of sensitive information will receive nearly $500,000 from the settlement. The whistleblower had raised concerns to company management that residents’ health information was potentially accessible to the public, but initially received no response. Insight Global took five months to start securing residents’ protected medical information, according to the U.S. Justice Department. Maureen R. Dixon of the U.S. Department of Health and Human Services emphasized the importance of contractors following procedures to safeguard individuals’ personal health information.
Insight Global, which has offices in the U.S., Canada, and the U.K., has acknowledged mishandling sensitive information and issued an apology. The company stated that it was only after the fact that it became aware of employees setting up unauthorized Google accounts and sharing information on them. A message was sent to the company seeking comment on the settlement. These events highlight the importance of safeguarding personal health information, particularly during a public health crisis such as the COVID-19 pandemic, and hold contractors accountable for failing to do so.
