PITTSBURGH — The company that ran Pennsylvania’s contact tracing program during the COVID-19 pandemic will pay nearly $3 million for allegedly failing to protect the private medical and personal information of more than 100,000 residents of Pennsylvania.
It’s a big development in a story 11 Investigates broke two years ago. Chief Investigator Rick Earle broke the story and he’s followed it every step of the way.
The former Insight Global employee, who first approached us about the compromised data, filed a false claims act against the company, under the whistleblower provisions. The Department of Justice then launched an investigation. On Wednesday, Insight Global agreed to pay nearly $2.7 million to settle the civil lawsuit.
>> Pennsylvanians who had personal information exposed in contact tracing data breach no longer suing
Insight Global, a staffing company based in Atlanta, Georgia, was hired by the Pennsylvania Health Department to conduct contact tracing during the COVID-19 outbreak.
But 11 Investigates discovered that the company failed to secure the personal and medical information of more than 100,000 residents of Pennsylvania, including children.
We obtained the spreadsheets with personal and medical information of individuals across the state and tracked down some of them.
Earle: What is your reaction as you look at that?
Resident: I’m shocked.
“I’m very angry that I have like this information is just out there. It’s not encrypted,” said another woman whose information we found on the spreadsheets.
Our exclusive reporting prompted the health department to terminate the $30 million contract with Insight Global.
It also led to a class action lawsuit against Insight Global, filed on behalf of those whose information was exposed.
There were also legislative hearings in Harrisburg to discuss how and why this happened.
“I learned of this breach by a third party contractor not from the department but from a reporter in Pittsburgh,” said Pennsylvania Senator Kristin Phillips-Hill, a Republican from York.
It also led to a new law strengthening reporting requirements for data breaches.
And now the Department of Justice announced that the company has agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures.
The Department of Justice confirmed today that certain personal health information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access the information and it was stored and transmitted using Google files that were not password protected.
They also said it could be viewed through internet links.
A special agent from the Department of Health and Human Services Office of Inspector General today issued a stern warning to all companies doing business with governments.
“Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”
11 Investigates has learned that the former Insight Global employee who blew the whistle on the data breach will get a half million dollars.
The rest of the money will be paid out as restitution.
Insight Global sent a statement to 11 Investigates this afternoon:
“Insight Global took remedial action upon learning of the initial situation years ago, long before the Department of Justice opened its investigation. while we believe that remediation was thorough and appropriate independent of the DOJ inquiry, we cooperated with their investigation, and we are pleased to have resolved this matter. As one of the largest it staffing companies in the United States, we certainly recognize how important data security is to our clients and their stakeholders, and we continue to make it a top priority. Since 2020, Insight Global has continued to strengthen its information security posture by reinforcing its compliance, data privacy, and risk functions, increasing its vendor due diligence, and implementing a host of additional controls and enhanced training programs.”
This browser does not support the video element.