On March 8, 2022, simply 5 months after the creation of the Division of Justice’s (“DOJ”) new Civil Cyber-Fraud Initiative (beforehand mentioned right here), the DOJ announced its first settlement of a cyber-related fraud case. Below the settlement settlement, Complete Well being Providers LLC (“CHS”) pays $930,000 to resolve whistleblower allegations that it violated the False Claims Act by (amongst different issues) failing to correctly retailer and deal with confidential info. This seemingly is simply the beginning for elevated cyber-related enforcement actions.
CHS had contracts to supply medical help companies at authorities services in Iraq and Afghanistan. As described within the settlement settlement, CHS did not correctly retailer affected person medical information on a safe digital medical report (“EMR”) system as required by its contract, whereas on the similar time submitting claims for cost to the federal government for the fee of a safe EMR system. Particularly, CHS workers allegedly saved and left copies of some medical information on an inside community drive that was accessible to non-clinical workers. Moreover, as set forth within the settlement settlement, after issues had been raised internally CHS did not take sufficient steps to correctly and securely retailer the knowledge on the EMR system and did not open up to the Authorities that it had not securely saved such information. The settlement additionally describes allegations that CHS offered sufferers with managed substances that had been unapproved by the U.S. Meals and Drug Administration (“FDA”) or European Medicines Company (“EMA”), and falsely represented such substances had been accredited.
Though this specific case entails medical information, it isn’t prone to be lengthy earlier than we see enforcement actions towards federal contractors that deal with or retailer different varieties of confidential or delicate authorities info on their programs. Federal contractors have cybersecurity obligations beneath present rules to guard federal contract info and managed unclassified info (“CUI”), and plenty of Division of Protection contractors have extra obligations to guard and carry out cybersecurity assessments regarding lined protection info (a sort of CUI). It isn’t onerous to think about the potential for a important False Claims Act case towards a protection contractor that performs a subpar evaluation and/or misreports the outcomes of an evaluation, notably the place submission of each bill to the federal government might represent an implied certification that the corporate is compliant with all contractual cybersecurity obligations.
In its press launch, the DOJ highlighted this settlement as a demonstration of “the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards,” and famous that it “will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.” Contractors ought to take speedy be aware and guarantee any representations made relating to the safety of info programs housing delicate authorities info are present and correct.