On March 8, the Department of Justice (DOJ) announced the first settlement under its Civil Cyber-Fraud Initiative, as Comprehensive Health Services, LLC (CHS), a global medical services provider, agreed to pay $930,000 in part to resolve False Claims Act (FCA) allegations regarding cyber fraud. The government alleged that CHS contracted with the State Department to provide a secure electronic medical record (EMR) system to store patients’ medical records and submitted claims for the costs of this work, but failed to disclose that it had not consistently stored patients’ medical records on a secure EMR system.
According to the allegations, upon scanning records for the EMR system, CHS staff would leave scanned copies of records on an internal network drive accessible to non-clinical staff. CHS also allegedly did not take adequate steps to maintain the protected medical information exclusively on the EMR system even after staff raised issues with the privacy of the information. The State Department purportedly paid $485,866 for CHS’s claims related to constructing an EMR system and storing medical records on it.
This settlement comes five months after DOJ first announced its Civil Cyber-Fraud Initiative, which aims to target the government’s FCA enforcement efforts at “entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” In subsequent remarks last year, DOJ’s Acting Assistant Attorney General for the Civil Division Brian Boyton cited at least three “common cybersecurity failures” that could result in FCA enforcement:
- Knowing failures to meet cybersecurity standards.
- Knowing misrepresentations of security controls and practices.
- Failing to timely report suspected breaches.
This first settlement with CHS falls into the second category. The settlement indicates that DOJ will not cabin its cyber fraud enforcement efforts to noncompliance with the standard safeguarding provisions in the Federal Acquisition Regulation or Defense Federal Acquisition Regulations, but also will pursue alleged FCA liability predicated on noncompliance with other cybersecurity-related contractual provisions.
By announcing this settlement, the Civil Cyber-Fraud Initiative, and a related cyber fraud hotline, DOJ hopes to encourage whistleblowers to assert cyber-related qui tam actions. How whistleblowers and their counsel respond is yet to be seen. While the settlement with CHS included resolution of two qui tam actions, both were filed well before DOJ publicized the initiative and involved a wide array of allegations, many unrelated to cybersecurity. Companies can expect relators’ counsel to push the envelope in attempting to attach FCA liability to cybersecurity noncompliance in the coming years.
For more insights regarding DOJ’s Civil Cyber-Fraud Initiative and potential FCA liability for cybersecurity non-compliance, please see our prior posts, which have discussed the potential reach of DOJ’s initiative, some key takeaways for government contractors, and a recent qui tam matter in litigation involving this topic.