A large staffing firm that performed COVID-19 contact tracing for Pennsylvania and exposed the private medical information of about 72,000 residents will pay $2.7 million in a settlement with the Justice Department and a company whistleblower, federal prosecutors announced Wednesday.
The Pennsylvania Department of Health paid Atlanta-based Insight Global tens of millions of dollars to administer the state’s contact tracing program during the height of the pandemic. The company was responsible for identifying and contacting people who had been exposed to the coronavirus so they could quarantine.
Employees used unauthorized Google accounts — readily viewable online — to store names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations and other information about residents who had been reached for contact tracing, even though the company’s contract with the state required it to safeguard such data.
State health officials fired Insight Global in 2021 after the data breach came to light. A subsequent federal whistleblower lawsuit alleged that Insight Global secured its lucrative contract with Pennsylvania knowing that it lacked secure computer systems and adequate cybersecurity.
The whistleblower — a former Insight Global contractor — complained to company management that residents' health information was potentially accessible to the public, according to the lawsuit. The company initially ignored her, then, when pressed, told the whistleblower “it was not willing to pay for the necessary computer security systems and instead preferred to use its contract funds to hire large numbers of workers,” the lawsuit said.
It took Insight Global five months to start securing residents' protected medical information, according to the U.S. Justice Department.
“Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable,” Maureen R. Dixon, who heads up the inspector general's office at the U.S. Department of Health and Human Services, said Wednesday in a statement on the settlement, of which the whistleblower is set to receive nearly $500,000.
Insight Global, which has about 70 offices in the U.S., Canada and the U.K., has previously acknowledged it mishandled sensitive information and apologized. The company said at the time it only belatedly became aware that employees had set up the unauthorized Google accounts for sharing information.
A message was sent to the company Wednesday seeking comment on the settlement.