Cybersecurity Whistleblower Receives $499,500 in Qui Tam Settlement

May 15, 2024
Nicolas Enrique O’Connor

On May 1, 2024, the Department of Justice (“DOJ”) announced a $2.7 million dollar settlement with Insight Global LLC to resolve allegations that it violated the False Claims Act (“FCA”) by failing to implement appropriate cybersecurity measures to protect confidential personal health information.  The Pennsylvania Department of Health, using funds from the U.S. Centers for Disease Control, hired Insight Global to staff its COVID-19 contact tracing efforts.  Terralyn Williams Seilkop, a former employee of Insight Global who worked on this contact tracing contract, filed a qui tam lawsuit under the FCA that brought this fraud to the attention of the DOJ, and she will receive $499,500 as part of this settlement.

The qui tam provisions of the FCA permit whistleblowers – known as “relators” – to file a lawsuit on behalf of the federal government alleging that an individual or a company defrauded the government, and a relator is eligible to receive between 15% and 30% of the judgement or settlement in a successful qui tam lawsuit.  In addition to receiving an award pursuant to the DOJ’s settlement of the qui tam action itself, the relator, who repeatedly raised concerns about this fraud and subsequently experienced being ostracized and losing job responsibilities before suffering a constructive discharge, also entered into a separate settlement agreement with Insight Global to resolve her FCA retaliation claims under 31 U.S.C. § 3730(h) for an undisclosed amount.

The DOJ alleged that, despite representing to the Pennsylvania Department of Health that it “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure,” Insight Global failed to implement cybersecurity controls and procedures.  Among Insight Global’s cybersecurity failures, staff hired by Insight Global shared and received personal health information and personally identifiable information through unencrypted emails and shared amongst themselves passwords to access this information.  Staff also stored this information in unsecured Google Drive files that could be accessed by any member of the public through an internet link.  Even though it received reports of these cybersecurity failures from its managers as early as November 2020, Insight Global failed to begin remediating these issues until April 2021.

Cybersecurity-related fraud has been a priority for the DOJ for several years.  On October 6, 2021, the DOJ announced its Civil Cyber-Fraud Initiative.  This initiative aims to combat fraud by companies that knowingly provide deficient cybersecurity services, misrepresent the adequacy of their cybersecurity measures, or violate their obligations to monitor and promptly report cybersecurity events or data breaches.  The DOJ has previously secured several other settlements resulting from cybersecurity-related FCA actions.

Contact Us

Katz Banks Kumin has published a Cybersecurity and Data Privacy Whistleblower Protections Guide that provides an overview of the various state and federal protections and reward programs available to cybersecurity whistleblowers.  Reward programs include not only qui tam actions under the FCA but also whistleblower tips submitted to the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”) as part of the SEC and CFTC Whistleblower Programs or to the Department of Treasury pursuant to the new Anti-Money Laundering Act, as well as tips submitted through the DOJ’s new corporate whistleblower award pilot program.

Cybersecurity and data privacy whistleblowers who submit information to the SEC, the CFTC, or the Department of Treasury may be eligible to receive an award of 10% to 30% of sanctions imposed in enforcement actions resulting in monetary sanctions in excess of $1 million.  Our attorneys at Katz Banks Kumin regularly assist clients in reporting wrongdoing to federal agencies through these and other whistleblower programs and have helped them secure sizable awards under these programs.  If you have information about cybersecurity failures, data breaches, or violations of related laws or regulations that you are considering reporting to the DOJ or another federal agency, contact the experienced lawyers at Katz Banks Kumin.  Your communications with us are confidential and without further obligation.

Our Offices

Washington, DC
Katz Banks Kumin LLP

11 Dupont Circle NW, Suite 600
Washington, DC 20036

Phone: 202-299-1140
Philadelphia, PA
Katz Banks Kumin LLP

1845 Walnut St., 25th Floor
Philadelphia, PA 19103

Phone: 215-735-2171
San Francisco, CA
Katz Banks Kumin LLP

150 California St., 16th Floor
San Francisco, CA 94111

Phone: 415-813-3260