Photo of Nkechi KanuPhoto of Brian Tully McLaughlinPhoto of Jacob HarrisonPhoto of Jennie Wang VonCannon

On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services.  Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. 

This is the second settlement under DOJ’s Civil Cyber-Fraud Initiative that was initiated by a qui tam complaint, this time filed in July 2021 by Insight’s former Business Intelligence Reporting Manager responsible for managing data created by contact tracers interacting with Pennsylvania residents.  See United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.).  In April 2024, DOJ elected to partially intervene in the relator’s claims for the purpose of effectuating the settlement agreement.  The relator will receive nearly $500,000 as a relator’s share award.

The contract with PADOH required Insight to, among other things, (i) ensure that PHI and all other information related to the services provided would be “kept confidential and secure”; (ii) use secure devices in performing the contract; and (iii) comply with federal PHI safeguarding obligations.  DOJ alleged that Insight violated these provisions because Insight allowed its staff to:

  • receive PHI/PII in unencrypted emails, including emails sent by government personnel;
  • share passwords to access PHI/PII; and
  • store and transmit PHI/PII via publicly-accessible Google documents.

In addition, DOJ alleged that Insight failed to:

  • provide adequate data security resources and training; or
  • promptly respond to staff complaints reporting that PHI/PII was unsecure.

Notably, the government claimed that Insight’s management received complaints from staff that PHI and PII were unsecure and potentially accessible to the public beginning in November 2020, but Insight failed to promptly remediate this issue—waiting until April 2021 to take proactive measures.  Insight did not admit liability and denied the government’s allegations set forth in the settlement agreement.

Key Takeaways

  • This is the second public FCA Civil Cyber-Fraud settlement based on a state-level contract (the first was Jelly Bean Communications Design LLC, announced by DOJ in March 2023). Accordingly, entities contracting with state governments should be proactive in ensuring that they comply with all cybersecurity obligations, especially where federal dollars are used to fund the program.   
  • Despite acknowledging that Insight cooperated with the investigation and made efforts to remediate its alleged cybersecurity violations after receiving DOJ’s Civil Investigative Demand (CID), it does not appear that DOJ rewarded Insight with any significant “cooperation credit” in the settlement. The $2.7 million total, including $1.35 million in restitution, reflects the 2x single damages (i.e., restitution) multiplier that is typically applied to FCA settlements.
  • DOJ continues to show that it will rely on whistleblowers and use the Civil Cyber-Fraud Initiative to prioritize FCA enforcement as a mechanism to hold government contractors accountable for failing to comply with cybersecurity requirements.
  • Government contractors may be able to reduce enforcement risks by promptly deploying additional resources, training personnel, and implementing or enhancing security controls, to remediate potential cybersecurity noncompliance.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Brian Tully McLaughlin Brian Tully McLaughlin

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a…

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a variety of complex claims, disputes, and recovery matters. Tully’s False Claims Act experience spans procurement fraud, healthcare fraud, defense industry fraud, and more. He conducts internal investigations and represents clients in government investigations who are facing fraud or False Claims Act allegations. Tully has successfully litigated False Claims Act cases through trial and appeal, both those brought by whistleblowers / qui tam relators and the Department of Justice alike. He also focuses on affirmative claims recovery matters, analyzing potential claims and changes, counseling clients, and representing government contractors, including subcontractors, in claims and disputes proceedings before administrative boards of contract appeals and the Court of Federal Claims, as well as in international arbitration. His claims recovery experience includes unprecedented damages and fee awards. Tully has appeared and tried cases before judges and juries in federal district courts, state courts, and administrative boards of contract appeals, and he has argued successful appeals before the D.C. Circuit, the Federal Circuit, and the Fourth and Seventh Circuits.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.