In­­­­­­sight Global agreed to pay $2.7 million to settle alleged False Claims Act violations for failing to provide adequate cybersecurity on Covid-19 contract tracing data.

The Atlanta-based staffing company, which specializes in sourcing information technology, accounting, finance, healthcare, and engineering professionals, will pay $1.35 million in restitution, the Department of Justice (DOJ) said in a settlement agreement dated April 24.

The settlement resolves claims brought under the qui tam provisions of the False Claims Act by Terralyn Seilkop, a former Insight Global staff member, the DOJ said in a press release Wednesday. Seilkop will receive nearly $500,000 of the settlement amount, plus $86,000 from Insight Global to cover attorneys’ fees, expenses, and costs arising from the civil action.

The details: In October 2021, the DOJ announced it would start pursuing cases of cybersecurity-related fraud by government contractors.

In or around August 2020, the Pennsylvania Department of Health (PDH) hired Insight Global to provide staffing for Covid-19 contact tracing and paid invoices using funds from the U.S. Centers for Disease Control and Prevention. The company committed that “information related to the services being provided must be kept confidential and secure,” as part of its contract, according to the DOJ.

Insight Global did not properly transmit data of contact tracing subjects, including personal health and/or identifiable information, the DOJ alleged. The company’s staff used shared passwords to access the data and stored it without password protections, per the DOJ.

From November 2020 to January 2021, Insight Global managers received complaints from staff that the data was unsecure and potentially accessible to the public, but the company failed to start remediating the issue until April 2021, the DOJ alleged.

“Insight Global should have (and could have) provided more data security resources and training” before contracting with PDH, the settlement agreement stated.

Compliance considerations: The company began remediating the alleged deficiencies before the DOJ launched its investigation, the agency acknowledged.

Remedial efforts included securing the data, investigating cause and scope of the incident, strengthening internal controls and procedures, allocating more data security resources, and notifying subjects.

Company response: In an emailed statement, Insight Global said the “remediation was thorough and appropriate independent of the DOJ inquiry” and it was “pleased to have resolved this matter.”

“Since 2020, Insight Global has continued to strengthen its information security posture by reinforcing its compliance, data privacy, and risk functions; increasing its vendor due diligence; and implementing a host of additional controls and enhanced training programs,” the statement said.