Insight Global Settles Class Action Data Breach Lawsuit
Insight Global LLC has agreed to settle a class action lawsuit that was filed in response to an April 2021 data breach that exposed the contact tracing data of more than 76,000 Pennsylvania residents.
Insight Global was appointed the administrator of Pennsylvania’s contact tracing program during the pandemic. Performing the contracted duties required Insight Global to collect a range of sensitive information including names, telephone numbers, email addresses, sexual orientation, family size, health data, indications of exposure to COVID-19, and whether individuals required any support services.
Several Insight Global employees created Google accounts to share information, including documents and spreadsheets containing contact tracing data. When the unauthorized accounts were discovered, Insight Global instructed its employees to stop using the accounts and ensure information was secured. The issue with using unauthorized Google accounts was sensitive data was sent to servers that were outside the control of Insight Global and could potentially be accessed by unauthorized individuals. According to Insight Global’s data breach notice, the information was sent to personal Google accounts and via non-secure channels between September 2020 and April 2021. Insight Global said it discovered the security issue on April 21, 2021.
A lawsuit was filed on behalf of one of the individuals whose data had been exposed, Lisa Chapman, and similarly situated individuals who had their sensitive personal and health information exposed and potentially obtained by unauthorized individuals. The lawsuit named Insight Global and the Pennsylvania Department of Health, although the Department of Health was later dropped from the lawsuit.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit claimed Insight Global failed to implement adequate and reasonable security measures to ensure consumers’ protected health information was secured. The lawsuit also alleged Insight Global was aware that its employees were using unsecured data communication and storage methods since at least November 2020, but failed to take action to address the problem until April 2021. The lawsuit also alleged Insight Global failed to issue timely notifications about the data breach and that when notifications were sent, the information included was inadequate. For instance, the notifications did not inform individuals that their information had been accessed by an unauthorized individual.
The lawsuit alleged the plaintiff and class members face an increased risk of identity theft and fraud due to the exposure of their personal and health information and that they have and will continue to need to continue to incur out-of-pocket expenses to protect themselves against identity theft and fraud.
Insight Global chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the settlement, class members will be entitled to receive up to $250 as compensation for out-of-pocket expenses incurred due to the data breach, which includes lost time at $20 per hour. Two years of credit monitoring services will be provided. Claims for documented extraordinary losses will also be accepted up to a maximum of $5,000.
