DOJ Settles First False Claims Act Enforcement Action Since Launch of Civil Cyber-Fraud Initiative

Edwin Childs, C. Andrew Konia, Laura Colombell Marshall, Charles Wm. McIntyre, Michael Podberesky, Todd Steggerda, Jason Vespoli
McGuireWoods LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On March 8, 2022, the U.S. Department of Justice (DOJ) announced a $930,000 settlement with Comprehensive Health Services, LLC (CHS) for alleged violations of the False Claims Act (FCA). This settlement marks DOJ’s first resolution of an FCA enforcement action involving cyber fraud after launching its Civil Cyber-Fraud Initiative in October 2021, signaling DOJ’s eagerness to emphasize its commitment to combatting cybersecurity violations and misrepresentations.

The DOJ alleged that, between 2012 and 2019, CHS violated the FCA by falsely representing to the U.S. Department of State and U.S. Air Force that it had complied with contractual obligations in connection with its agreement to provide medical and data record services at State Department and Air Force facilities in Iraq and Afghanistan. Specifically, DOJ alleged that CHS stored patients’ protected health information (PHI) and confidential identifying information on an electronic medical record (EMR) system that was, at times, unsecured, in violation of express contractual requirements. CHS also allegedly failed to remediate the cybersecurity failures after its employees raised concerns that confidential medical and identifying information had inappropriately been stored and saved outside of the EMR system.

Further, DOJ asserted that CHS had falsely represented to the State Department and Air Force that the controlled substances it supplied to patients pursuant to the contracts were approved by the U.S. Food and Drug Administration (FDA) or European Medicines Agency (EMA). In fact, CHS lacked the necessary Drug Enforcement Agency license to export controlled substances and instead arranged for a South African shipping company to deliver controlled substances that were neither approved by the FDA or EMA. CHS then supplied those unapproved controlled substances to patients under the State Department and Air Force contracts.

Although the facts of this qui tam case fit into the framework of a typical procurement fraud FCA claim, albeit one involving a potential violation of the Health Insurance Portability and Accountability Act (HIPAA)[1], DOJ distinctly emphasized the role that cyber-related violations played in its decision to pursue enforcement against CHS. Although the qui tam relators alleged in their suits (filed in 2017 and 2019, five and three years (respectively) before the cyber-fraud initiative was announced) that CHS’s actions violated HIPAA, DOJ did not allege as much in the “Covered Conduct” section of the settlement Agreement, instead emphasizing the generalized failure to “provide a secure electronic medical record system to store all patients’ medical records, including the confidential identifying information of U.S. servicemembers, diplomats, officials, and contractors working and receiving medical care in Iraq.” Of particular interest, the press release quoted Principal Deputy Assistant Attorney General Boynton, the current acting head of the Civil Division: “This settlement demonstrates the Department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk. We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”

Clearly, DOJ was eager to announce a victory in its efforts to bolster cybersecurity and combat cyber fraud. Federal government contractors should anticipate the DOJ highlighting the role of cyber-related misrepresentations and violations in future FCA enforcement actions in furtherance of its Civil Cyber-Fraud Initiative and an increased focus on cyber security violations. Contractors should also appreciate that this settlement, the associated $172,050 relators’ share the United States agreed to pay the whistleblowers, and announcement of the same, are intended to serve as encouragement to whistleblowers to file qui tam actions under the FCA for cyber-related violations.

Please contact the authors if you have any questions about cybersecurity policies or the implications of the DOJ’s Cyber-Fraud Initiative in the FCA enforcement arena.

[1] Section 1320d-6-d(a) of HIPAA criminalizes knowingly using, obtaining, or disclosing an individual’s identifiable health information without authorization. At least one court has held that a violation of Section 1320d-6-d(a) can result in FCA liability. United States v. America at Home Healthcare and Nursing Services, Ltd., 2018 U.S. Dist. LEXIS 2592 (E.D. Ill. Jan. 8, 2018).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP
McGuireWoods LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide