First False Claims Act Settlement under DOJ’s Cyber-Fraud Initiative

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC

On March 8, the Department of Justice (DOJ) announced the first settlement under its Civil Cyber-Fraud Initiative, as Comprehensive Health Services, LLC (CHS), a global medical services provider, agreed to pay $930,000 in part to resolve False Claims Act (FCA) allegations regarding cyber fraud. The government alleged that CHS contracted with the State Department to provide a secure electronic medical record (EMR) system to store patients’ medical records and submitted claims for the costs of this work, but failed to disclose that it had not consistently stored patients’ medical records on a secure EMR system.

According to the allegations, upon scanning records for the EMR system, CHS staff would leave scanned copies of records on an internal network drive accessible to non-clinical staff. CHS also allegedly did not take adequate steps to maintain the protected medical information exclusively on the EMR system even after staff raised issues with the privacy of the information. The State Department purportedly paid $485,866 for CHS’s claims related to constructing an EMR system and storing medical records on it.

This settlement comes five months after DOJ first announced its Civil Cyber-Fraud Initiative, which aims to target the government’s FCA enforcement efforts at “entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” In subsequent remarks last year, DOJ’s Acting Assistant Attorney General for the Civil Division Brian Boyton cited at least three “common cybersecurity failures” that could result in FCA enforcement:

  1. Knowing failures to meet cybersecurity standards.
  2. Knowing misrepresentations of security controls and practices.
  3. Failing to timely report suspected breaches.

This first settlement with CHS falls into the second category. The settlement indicates that DOJ will not cabin its cyber fraud enforcement efforts to noncompliance with the standard safeguarding provisions in the Federal Acquisition Regulation or Defense Federal Acquisition Regulations, but also will pursue alleged FCA liability predicated on noncompliance with other cybersecurity-related contractual provisions.

By announcing this settlement, the Civil Cyber-Fraud Initiative, and a related cyber fraud hotline, DOJ hopes to encourage whistleblowers to assert cyber-related qui tam actions. How whistleblowers and their counsel respond is yet to be seen. While the settlement with CHS included resolution of two qui tam actions, both were filed well before DOJ publicized the initiative and involved a wide array of allegations, many unrelated to cybersecurity. Companies can expect relators’ counsel to push the envelope in attempting to attach FCA liability to cybersecurity noncompliance in the coming years.

For more insights regarding DOJ’s Civil Cyber-Fraud Initiative and potential FCA liability for cybersecurity non-compliance, please see our prior posts, which have discussed the potential reach of DOJ’s initiative, some key takeaways for government contractors, and a recent qui tam matter in litigation involving this topic.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.