Guidehouse and Nan McKay and Associates (NM) will pay a total of $11.3 million to the Department of Justice (DOJ) to settle allegations that cybersecurity failures led to the theft of client personal information during the height of the COVID-19 pandemic.
Guidehouse agreed to pay about $7.6 million, while NM agreed to pay $3.7 million, the DOJ announced in a press release Monday.
The case resolved claims brought under the qui tam provisions of the False Claims Act by Elevation 33, an entity owned by a former Guidehouse employee. The former employee will receive about $1.9 million of the settlement.
The details: The federal government provided rental assistance during the pandemic with funds disbursed to states. New York contracted with Guidehouse to administer its program, which in turn subcontracted with NM to provide an electronic platform for applicants to enroll in the program.
In June 2021, personal and financial information submitted to the program was compromised within 12 hours of launch, according to the settlement agreement .
Guidehouse and NM admitted they failed to satisfy their obligations to keep data private due to a lack of prelaunch testing and security flaws that could have been corrected.
Guidehouse further admitted it violated its contract with the state of New York by storing data in the cloud without permission.
“Contractors who receive federal funding must take their cybersecurity obligations seriously,” said Carla Freedman, U.S. attorney for the Northern District of New York., in the release. “We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”
Guidehouse did not respond to a request for comment.
No comments yet