The Department of Justice (DOJ) has formally set its sights on cybersecurity. In October 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, under which it will pursue False Claims Act (FCA) liability against government contractors, including healthcare providers, in the cybersecurity space. With this initiative, the DOJ seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
August 24, 2022
DOJ Expands Civil Enforcement Focus Into Cybersecurity
Jeff Gibson, John Eason and Sheaniva Murray
Background on the Civil Cyber-Fraud Initiative
The Civil Cyber-Fraud Initiative comes on the heels of an increasingly prevalent number of cyberattacks in the United States. In May 2021, President Biden issued Executive Order (E.O.) 14028 on “Improving the Nation’s Cybersecurity,” identifying the prevention, detection, assessment, and remediation of cybersecurity incidents as essential to national and economic security and a top priority of the executive branch. In a White House statement regarding E.O. 14028, the administration cited “[r]ecent cybersecurity incidents,” including those involving SolarWinds and Microsoft Exchange, as “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals” and stated that the “incidents share commonalities, including insufficient cybersecurity defenses.” In response to E.O. 14028, the DOJ created the Civil Cyber-Fraud Initiative as part of the agency’s efforts to combat new and emerging cyber threats. The new initiative is the first formal step the DOJ has taken in this area.
With the new initiative, the DOJ has pledged to pursue FCA liability against government contractors and grant recipients in the cybersecurity space. Many healthcare organizations, of course, are already subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (45 C.F.R. Part 164, Subpart C) and are all too familiar with the costs and legal risks stemming from cyberattacks and data breaches. But the Civil Cyber-Fraud Initiative brings a significant new enforcement dimension in the form of the FCA. The FCA imposes liability on any person who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval.” A unique feature of the FCA is its qui tam (or whistleblower) provision, which allows private citizens (called “relators”) to bring suit on behalf of the United States government and to recover a share of the award. A relator may be anyone with knowledge of fraud, such as an employee, a competitor, or a contractor. Depending on whether or not the government decides to intervene in the action, a relator may be awarded anywhere from 15 to 30 percent of the proceeds to the action. Under the FCA, the government is entitled to recover treble damages and statutory penalties for each false claim. These provisions create a powerful incentive for qui tam whistleblowers to bring claims under the FCA. In fiscal year 2021 alone, relators brought 598 new qui tam actions, and the relator share of awards was over $238 million. That same year, the DOJ obtained more than $5.6 billion in settlements and judgments from civil fraud and false claims cases.
As for what conduct DOJ will pursue through the Civil Cyber-Fraud Initiative, in a speech before the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit on October 13, 2021, Acting Assistant Attorney General Brian M. Boynton identified the following cybersecurity failures as candidates for potential FCA enforcement:
- Knowing failure to comply with cybersecurity standards.
- Knowing misrepresentation of security controls and practices.
- Knowing failure to timely report suspected breaches.
The DOJ acknowledges that cybersecurity breaches and incidents may occur even with robust monitoring, detection, and reporting systems, and that the FCA will be used as an enforcement tool where there is a knowing failure to meet requirements or where there are misrepresentations of compliance with cybersecurity requirements. As Boynton explained, “when false assurances are made to the government, sensitive government information and systems may be put at risk without the government even knowing it.”
The DOJ has encouraged those with tips related to potential cyber-related fraud, waste, abuse, and mismanagement to report information to the DOJ’s Civil Fraud Section, to notify the Federal Bureau of Investigation, to contact the Inspector General of the federal agency suspected to have been harmed, or to file a qui tam action under the FCA. In his October 2021 speech, Boynton highlighted a new cyber-fraud reporting tool on the DOJ’s website and noted that the DOJ had partnered with several federal agencies to “promote information sharing and technical expertise, generate referrals for investigations, and multiply the number of experienced federal agents and attorneys dedicated to combatting knowing cybersecurity failures.”
FCA Enforcement Actions in the Cybersecurity Space
On February 28, 2022, the DOJ entered into the first cyber-fraud settlement since the inception of the Civil Cyber-Fraud Initiative – and, notably, it concerned the security of electronic medical record (EMR) storage. The settlement resolved allegations originating from two qui tam actions brought by several relators. The defendants at issue, Comprehensive Health Services, LLC and related entities (CHS), contracted with the Department of State and the U.S. Air Force to operate medical facilities and provide services in Iraq and Afghanistan consistent with United States standards. With respect to cybersecurity, the relators alleged that the defendants failed to secure EMR in a HIPAA-compliant manner; failed to disclose known HIPAA breaches; and bid on government contracts despite knowledge that they could not meet the cybersecurity obligations under the contracts.
The United States partially intervened in the two qui tam actions, for purposes of settlement, as to certain allegations against the defendants. The DOJ alleged that CHS contracted with the State Department to provide a secure EMR system to store patients’ medical records and submitted claims for payment related to the construction and storage of the EMR system, but failed to disclose that it had not consistently stored patients’ medical records on a secure EMR system. The DOJ further contended that (1) upon scanning records for the EMR system, CHS staff would leave scanned copies of records on an internal network drive accessible to non-clinical staff, and (2) CHS did not take adequate steps to maintain the protected medical information exclusively on the EMR system even after staff flagged issues with the privacy of the information. The DOJ alleged that the government had paid CHS $485,866 as a result of false claims related to constructing an EMR system and storing medical records on it. Notably, there was no allegation in the case that CHS’s EMR shortcomings led to a cybersecurity breach. The DOJ also alleged that the government paid CHS $141,829 as a result of false claims for procuring drugs that were not Food and Drug Administration (FDA)- or European Medicines Agency (EMA)-approved, in violation of the terms of certain federal contracts. Under the settlement, the defendants agreed to pay $930,000 to resolve the qui tam actions, as well as $531,691 for relators’ costs and attorneys’ fees.
The CHS settlement resolves the first public FCA case against a healthcare entity predicated in part on alleged cybersecurity failures. In the DOJ’s press release announcing the settlement, Principal Deputy Assistant Attorney General Boynton said the “settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk. . . . We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”
Though outside the healthcare context, another FCA cyber-fraud settlement soon followed. On April 27, 2022, Aerojet agreed to pay more than $9 million to settle FCA claims brought by a former compliance employee who alleged that Aerojet misrepresented its compliance with cybersecurity requirements within contracts with the Department of Defense and NASA, including in contracts for the provision of rocket engines. The lawsuit sought billions of dollars in damages. While the DOJ initially declined to intervene in the case, shortly after announcing the Civil Cyber-Fraud Initiative, the DOJ filed a Statement of Interest in support of the relator’s opposition to Aerojet’s summary judgment motion. Among the arguments made by Aerojet in its summary judgment motion, the company argued that the contractual cybersecurity control provisions at issue were immaterial and that the government suffered no damages because it received the contracted-for goods and services. The whistleblower countered that the government also contracted with Aerojet to store sensitive technical data concerning the government’s missile systems on a secure network and that Aerojet’s deficient network security inadequately protected this information from potential cyberattacks. The government adopted a similar position, advocating for the court to find an FCA violation if Aerojet did in fact fail to provide the cybersecurity required by the contracts at issue. The parties disputed whether Aerojet had disclosed to the government that prior data breaches were not resolved and whether data breaches had continued. The settlement came on the second day of trial.
Implications for Healthcare Providers
The DOJ’s new initiative and recent enforcement activity make clear that it is not just cybersecurity breaches that can give rise to liability. Healthcare companies and third parties that handle or manage electronic data or systems must also take care not to misrepresent their cybersecurity capabilities in conjunction with government contracts and bids, and they must ensure that they implement and maintain adequate cybersecurity protection to meet applicable cybersecurity requirements and any representations or warranties they may have made in their contracts with the federal government.
Never before has an effective cybersecurity compliance program been more important. Such a program calls for organizations to regularly review their systems for vulnerabilities and to assess and respond to risks on an ongoing basis. Not all cybersecurity systems are the same, with the size, resources, and complexity of organizations varying significantly, so these reviews may look different depending on the systems, entities, and data types at issue. But, generally speaking, organizations that contract with the government should try to ensure that their cybersecurity programs are in line with industry standards and applicable government requirements. They should also consider implementing available frameworks, such as the Health Information Trust Alliance (HITRUST) framework or the Cybersecurity Maturity Model Certification (CMMC) framework set forth in the Department of Defense’s September 2020 interim rule, as appropriate. Failure to do so could mean the difference between a compliant organization and one subject to FCA enforcement under the DOJ’s new initiative.