Getty Images/iStockphoto
Insight Global Settles Class Action Lawsuit After Contact Tracing Breach
The plaintiff settled a class action lawsuit alleging inadequate cybersecurity measures were behind the Insight Global COVID-19 tracing data breach that impacted more than 76,000 patients.
Insight Global, the contact tracing program administrator hired by the state of Pennsylvania, has reached a proposed settlement to resolve a class-action healthcare data breach lawsuit. The breach, which occurred in April 2021, potentially exposed personally identifiable information (PII) of over 76,000 individuals despite being supposedly secured.
“The PHI compromised in the Data Breach included highly-sensitive information including but not limited to name, gender, phone number, sexual orientation, family size, and health data,” the plaintiff mentioned.
In August 2020, the PA health department hired Insight Global to help slow down the spread of the virus by providing services and gathering important information. They also worked to identify and help with social service needs.
As previously reported, several Insight Global employees created and used unauthorized Google accounts to share information, including documents tied to contact tracing data collection. This made the data vulnerable to exposure beyond authorized employees and public health officials.
In response, Insight Global asked current and former employees to return and secure any documents containing personal information and ensure proper security controls. Despite attempts to secure patient data, a Google document with personal information of 66 individuals, mostly minors, remained available for over a month after the breach.
Lisa Chapman, who was affected by the incident, filed a lawsuit claiming that comprised health information “was a direct result of Defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect consumers’ PHI.”
The subsequent lawsuit also claimed that “Insight was aware that its employees were using unsecure data storage and communications methods as early as November 2020.”
Until at least April 21, 2021, despite being aware of the situation, neither the Department of Health nor Insight Global took any measures to safeguard the protected health information (PHI) of the plaintiff or other members of the class, the lawsuit alleged.
The plaintiff claimed that due to its untimely response and inadequate security measures that the “Plaintiff and other class now face an increased risk of identity theft and will consequentially have to spend, and will continue to spend, significant time and money to protect themselves due to Defendants’ Data Breach.”
Among the range of claims, the lawsuit also claimed that Insight Global failed “to provide timely and adequate notice to Plaintiff and other Class Members that their information had been subject to the unauthorized access of an unknown third party and precisely what specific type of information was accessed.”
According to the settlement, Insight Global LLC has agreed to pay at most $5,000 each to victims to compensate them for extraordinary out-of-pocket losses, in a settlement given final approval by a federal judge.
Additionally, victims of the breach will be eligible to receive up to $250 in compensation for ordinary out-of-pocket expenses, which can include payment for lost time at a rate of $20 per hour, as well as two years of credit monitoring services. Class counsel will receive $300,000 for fees and expenses, while Chapman, who represented the plaintiff in the case, will receive a service award of $2,000, according to the settlement agreement.