The Department of Justice (DOJ) has formally set its sights on cybersecurity.With this initiative, the DOJ seeks to
Background on the Civil Cyber-Fraud Initiative
The Civil Cyber-Fraud Initiative comes on the heels of an increasingly prevalent number of cyberattacks in the United States.The new initiative is the first formal step the DOJ has taken in this area.
With the new initiative, the DOJ has pledged to pursue FCA liability against government contractors and grant recipients in the cybersecurity space.and are all too familiar with the costs and legal risks stemming from cyberattacks and data breaches. But the Civil Cyber-Fraud Initiative brings a significant new enforcement dimension in the form of the FCA. A unique feature of the FCA is its qui tam (or whistleblower) provision, which allows private citizens (called “relators”) to bring suit on behalf of the United States government and to recover a share of the award. A relator may be anyone with knowledge of fraud, such as an employee, a competitor, or a contractor. These provisions create a powerful incentive for qui tam whistleblowers to bring claims under the FCA. In fiscal year 2021 alone, relators brought 598 new qui tam actions, and the relator share of awards was over $238 million.
As for what conduct DOJ will pursue through the Civil Cyber-Fraud Initiative, in a speech before the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit on October 13, 2021, Acting Assistant Attorney General Brian M. Boynton identified the following cybersecurity failures as candidates for potential FCA enforcement:
- Knowing failure to comply with cybersecurity standards.
- Knowing misrepresentation of security controls and practices.
FCA Enforcement Actions in the Cybersecurity Space
The defendants at issue, Comprehensive Health Services, LLC and related entities (CHS), contracted with the Department of State and the U.S. Air Force to operate medical facilities and provide services in Iraq and Afghanistan consistent with United States standards. With respect to cybersecurity, the relators alleged that the defendants failed to secure EMR in a HIPAA-compliant manner; failed to disclose known HIPAA breaches; and bid on government contracts despite knowledge that they could not meet the cybersecurity obligations under the contracts.
The United States partially intervened in the two qui tam actions, for purposes of settlement, as to certain allegations against the defendants. The DOJ alleged that CHS contracted with the State Department to provide a secure EMR system to store patients’ medical records and submitted claims for payment related to the construction and storage of the EMR system, but failed to disclose that it had not consistently stored patients’ medical records on a secure EMR system. The DOJ further contended that (1) upon scanning records for the EMR system, CHS staff would leave scanned copies of records on an internal network drive accessible to non-clinical staff, and (2) CHS did not take adequate steps to maintain the protected medical information exclusively on the EMR system even after staff flagged issues with the privacy of the information. The DOJ alleged that the government had paid CHS $485,866 as a result of false claims related to constructing an EMR system and storing medical records on it. Notably, there was no allegation in the case that CHS’s EMR shortcomings led to a cybersecurity breach. The DOJ also alleged that the government paid CHS $141,829 as a result of false claims for procuring drugs that were not Food and Drug Administration (FDA)- or European Medicines Agency (EMA)-approved, in violation of the terms of certain federal contracts. Under the settlement, the defendants agreed to pay $930,000 to resolve the qui tam actions, as well as $531,691 for relators’ costs and attorneys’ fees.
The CHS settlement resolves the first public FCA case against a healthcare entity predicated in part on alleged cybersecurity failures. In the DOJ’s press release announcing the settlement, Principal Deputy Assistant Attorney General Boynton said the “settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk. . . .
Though outside the healthcare context, another FCA cyber-fraud settlement soon followed.The lawsuit sought billions of dollars in damages. While the DOJ initially declined to intervene in the case, shortly after announcing the Civil Cyber-Fraud Initiative, the DOJ filed a Statement of Interest in support of the relator’s opposition to Aerojet’s summary judgment motion. Among the arguments made by Aerojet in its summary judgment motion, the company argued that the contractual cybersecurity control provisions at issue were immaterial and that the government suffered no damages because it received the contracted-for goods and services. The whistleblower countered that the government also contracted with Aerojet to store sensitive technical data concerning the government’s missile systems on a secure network and that Aerojet’s deficient network security inadequately protected this information from potential cyberattacks. The government adopted a similar position, advocating for the court to find an FCA violation if Aerojet did in fact fail to provide the cybersecurity required by the contracts at issue. The parties disputed whether Aerojet had disclosed to the government that prior data breaches were not resolved and whether data breaches had continued. The settlement came on the second day of trial.
Implications for Healthcare Providers
The DOJ’s new initiative and recent enforcement activity make clear that it is not just cybersecurity breaches that can give rise to liability. Healthcare companies and third parties that handle or manage electronic data or systems must also take care not to misrepresent their cybersecurity capabilities in conjunction with government contracts and bids, and they must ensure that they implement and maintain adequate cybersecurity protection to meet applicable cybersecurity requirements and any representations or warranties they may have made in their contracts with the federal government.
Never before has an effective cybersecurity compliance program been more important. Such a program calls for organizations to regularly review their systems for vulnerabilities and to assess and respond to risks on an ongoing basis. Not all cybersecurity systems are the same, with the size, resources, and complexity of organizations varying significantly, so these reviews may look different depending on the systems, entities, and data types at issue. But, generally speaking, organizations that contract with the government should try to ensure that their cybersecurity programs are in line with industry standards and applicable government requirements. They should also consider implementing available frameworks, such as the Health Information Trust Alliance (HITRUST) framework or the Cybersecurity Maturity Model Certification (CMMC) framework set forth in the Department of Defense’s September 2020 interim rule, as appropriate. Failure to do so could mean the difference between a compliant organization and one subject to FCA enforcement under the DOJ’s new initiative.