Earlier this month, the Department of Justice (DOJ) announced a settlement with Atlanta-based Insight Global LLC resolving claims under the False Claims Act (FCA) relating to alleged deficiencies in Insight Global's cybersecurity measures in performing a pandemic-related government contract. This is the fourth settlement under DOJ's Civil Cyber Fraud Initiative. As part of the settlement, Insight Global agreed to pay US$2.7 million to avert litigation in a qui tam suit brought by a relator.
According to the settlement agreement, the Pennsylvania Department of Health retained Insight Global in August 2020 to provide staff to conduct contact tracing as part of the state's Covid-19 mitigation efforts. Pennsylvania used federal covid-relief funds to pay for the engagement. The contract allegedly contained a provision requiring Insight Global to safeguard the protected health information (PHI) it would obtain as part of its work and keep that information "confidential and secure." Yet, according to the government, Insight Global transmitted data in ways that did not live up to this requirement, including by sending PHI in unencrypted emails and storing it in files that were not password-protected and were potentially accessible to the public via internet links. The settlement notes that while Insight Global managers received complaints from internal staff that such information was unsecure and potentially accessible to the public and did nothing for several months, Insight Global later took remedial steps before the government's investigation began.
Though the relator initiated this suit shortly before DOJ unveiled the Civil Cyber Fraud Initiative, DOJ's press release seems to take credit for it as part of the initiative, making it the fourth settlement so far in about two-and-a-half years. DOJ's press release quotes the U.S. Attorney for the relevant district in Pennsylvania as saying that "cybersecurity is a critical part of most, if not all, federally funded contracts," highlighting that DOJ views this as a broad-based initiative to ensure cybersecurity compliance among federal contractors performing work of all kinds. That said, it is notable that three of the four settlements announced thus far under the initiative have related to alleged mishandling of PHI. As we've blogged about previously, though, FCA allegations relating to cybersecurity can and do span a wide variety of fact patterns, including in industries other than health care.
As the initiative's third year continues on, we can expect to see more cyber-related settlements and litigation under the FCA. We'll continue to keep you updated on them here at Qui Notes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.