CHS had previously submitted contract claims to the State Department for the cost of a secure electronic medical record (EMR) system to store all patients’ medical records.
Then in July 2022, Aerojet Rocketdyne agreed to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in specific federal government contracts.
DOJ Cyber Fraud Initiative and the HIPAA Connection
The CCFI initiative opens the door to cooperation between DOJ and Health and Human Services Office for Civil Rights on HIPAA enforcement matters if federal contracting requirements specify HIPAA-standard privacy and security standards.
As a result of the DOJ’s creation of CCFI, the False Claims Act may now be leveraged as a privacy- and security-related enforcement tool where cybersecurity violations are involved, which may include data breaches involving PHI and other sensitive personal information.
Whistleblower Incentives Within the DOJ Cyber Fraud Initiative
Leveraging the False Claims Act opens the door for whistle-blowers to bring suits on behalf of the government and receive a portion of the recovery. In the Aerojet Rocketdyne settlement, the former employee who brought and litigated the case will receive $2.61 million from the total settlement.
Under HIPAA, only the government can bring actions against those violating the law’s provisions. Under the FCA, whistleblowers may receive 15 to 30 percent of the total damages recovered by the government.