Insight Global, a staffing firm that performed COVID-19 contact tracing for the state of Pennsylvania, has reached a settlement with the Department of Justice to pay $2.7 million. This settlement comes after employees of the firm stored the private medical information of tens of thousands of Pennsylvanians on unauthorized, easily-accessible Google accounts. Special Agent in Charge Maureen Dixon emphasized the importance of contractors for the government following procedures to safeguard personal health information and stated that those who do not do so will be held accountable.
The Pennsylvania Department of Health had contracted Insight Global to administer the state’s contact tracing program during the height of the pandemic, paying the firm tens of millions of dollars. However, it was revealed that employees used unauthorized Google accounts to store sensitive information such as names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations, and more about residents who had been reached for contact tracing. This was a direct violation of the company’s contract with the state which required them to safeguard such data. Insight Global was eventually fired by state health officials after the data breach came to light.
A federal whistleblower lawsuit was filed by a former Insight Global contractor who raised concerns to company management about the potential accessibility of residents’ health information to the public. The lawsuit alleged that despite these concerns, the company was not willing to pay for necessary computer security systems and instead prioritized hiring large numbers of workers. It took the company five months to begin securing residents’ protected medical information, as noted by the U.S. Justice Department.
Maureen R. Dixon, from the inspector general’s office at the U.S. Department of Health and Human Services, stated that contractors who fail to follow procedures to safeguard personal health information will be held accountable. As part of the settlement, the whistleblower is set to receive nearly $500,000. Insight Global has acknowledged its mishandling of sensitive information and apologized for the incident. The company claimed that it was only belatedly made aware of the unauthorized Google accounts set up by employees for sharing information.
Insight Global, which has offices in the U.S., Canada, and the U.K., has faced consequences for its mishandling of private medical information in the contact tracing program for Pennsylvania. The settlement with the Department of Justice serves as a reminder of the importance of safeguarding personal health information and the accountability that comes with failing to do so. Despite the apology from the company and acknowledgement of the mismanagement of sensitive data, the incident highlights the risks associated with improper handling of personal information in the context of public health initiatives during a global pandemic.
