A pair of government contractors recently agreed to settlements of alleged violations of the False Claims Act (FCA) for nearly $10 million as part of the U.S. Department of Justice’s (DOJ) Civil Cyber Fraud Initiative (CCFI).
The creation of the CCFI last fall drastically expands the potential liability of government contractors, grant recipients, and other health care providers participating in federal health care programs. It also signals that the government seeks to continue enforcing the FCA by focusing on data privacy and cybersecurity violations.
Details of DOJ Cyber Fraud Initiative Settlements
In March 2022, Comprehensive Health Services LLC (CHS), located in Cape Canaveral, Florida, agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan.
One of the government’s allegations against CHS was that it failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system. When CHS staff scanned medical records containing patients’ protected health information (PHI) into the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff. Even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the data exclusively on the EMR system.
CHS had previously submitted contract claims to the State Department for the cost of a secure electronic medical record (EMR) system to store all patients’ medical records.
Then in July 2022, Aerojet Rocketdyne agreed to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in specific federal government contracts.
DOJ Cyber Fraud Initiative and the HIPAA Connection
The CCFI initiative opens the door to cooperation between DOJ and Health and Human Services Office for Civil Rights on HIPAA enforcement matters if federal contracting requirements specify HIPAA-standard privacy and security standards.
As a result of the DOJ’s creation of CCFI, the False Claims Act may now be leveraged as a privacy- and security-related enforcement tool where cybersecurity violations are involved, which may include data breaches involving PHI and other sensitive personal information.
Whistleblower Incentives Within the DOJ Cyber Fraud Initiative
Leveraging the False Claims Act opens the door for whistle-blowers to bring suits on behalf of the government and receive a portion of the recovery. In the Aerojet Rocketdyne settlement, the former employee who brought and litigated the case will receive $2.61 million from the total settlement.
Under HIPAA, only the government can bring actions against those violating the law’s provisions. Under the FCA, whistleblowers may receive 15 to 30 percent of the total damages recovered by the government.
