March.17.2022
The Department of Justice (DOJ)’s Civil Cyber-Fraud Initiative, less than six months old, just resolved the first case against Comprehensive Health Services (CHS). There are two critical takeaways for all organizations that do business with the government. First, DOJ pursued the FCA claim, despite there being no allegation that CHS’s medical record services were noncompliant; only that data supposed to be maintained exclusively in the electronic medical record system was also replicated outside that system and available without the same quality of cybersecurity protections. Second, the action was brought without any evidence of cyberattack. Bottom line, the $930,000 settlement is a reminder of the importance of robust cyber compliance in securing and performing government contracts and, in particular, identifying and responding to potential risk areas.
By way of background, in October 2021, DOJ launched the Civil Cyber-Fraud Initiative to use the False Claims Act and related “civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards[.]” The FCA prohibits knowingly submitting materially false claims for payment to the federal government. The goal of the Initiative is to leverage the FCA to target contractors that (1) knowingly provide deficient cybersecurity products or services, (2) knowingly misrepresent their cybersecurity practices or protocols, or (3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
Shortly after announcing the initiative, DOJ filed a Statement of Interest in U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings Inc.,[1] similarly arguing that the submission of false claims for cybersecurity services can provide a basis for recovery, even if the underlying product or service (in that case rocketry) was not otherwise defective. DOJ also argued that incomplete disclosure of noncompliance to the federal government was not sufficient to absolve a contractor of false claims liability. The court subsequently adopted these positions.[2]
On March 8, 2022, the DOJ settled two actions against CHS,[3] alleging that CHS had not complied with the terms of its contract to provide medical support services to Department of State (DoS) facilities in Iraq—specifically. CHS billed DoS $485,866 for storing medical records in a secure Electronic Medical Record (EMR) system even though it knew staff regularly stored copies of medical records on a shared drive accessible to non-clinical staff. The Settlement also explains that staff members raised the issue to management and did not receive an adequate response from management.[4] CHS agreed to pay $930,000 plus attorneys’ fees to resolve the claims without admitting fault.
While the settlement itself is not a game changer and is in line with DOJ’s earlier stated objectives, it is a reminder that legal cybersecurity risks exist even when there is no breach, and thus the importance of cybersecurity compliance processes both in the application for, and execution of, government contracts. This includes being particularly mindful of processes for identifying, escalating, and responding to identified risk areas. It also includes processes for multidirectional communication between security, legal, and compliance to align these teams on both the business’s legal obligations and its current security state. In line with the broader goals of the Civil Cyber-Fraud Initiative, government contractors should promptly, if they have not recently, evaluate their incident response processes to confirm they align with existing contractual obligations. Otherwise, they risk significant penalties under the FCA.
Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist government contractors in reviewing their cyber security programs in light of their contractual obligations and to conduct tabletop incident response exercises designed to avoid FCA liability.
[1] No. 15-cv-2245, Dkt. 135 (E.D. Cal.)
[2] Id. Dkt. 155.
[3] , U.S. ex rel. Watkins et al. v. CHS Middle East LLC, No. 17-cv-4319 (E.D. N.Y.) and U.S. ex rel. Lawler v. Comprehensive Health Services, Inc., et al., No. 20-cv-698, Dkt. 26-1 (E.D. N.Y. Feb. 28, 2022).
[4] Unrelated to cyber, the allegations also included that CHS submitted false claims concerning regulatory approval of some medications.