On March 8, 2022, the U.S. Department of Justice (DOJ) announced a $930,000 settlement with Comprehensive Health Services, LLC (CHS) for alleged violations of the False Claims Act (FCA). This settlement marks DOJ’s first resolution of an FCA enforcement action involving cyber fraud after launching its Civil Cyber-Fraud Initiative in October 2021, signaling DOJ’s eagerness to combat cybersecurity violations and misrepresentations.

The DOJ alleged that between 2012 and 2019, CHS violated the FCA by falsely representing to the U.S. Department of State and U.S. Air Force that it had complied with contractual obligations in connection with its agreement to provide medical and data record services at facilities in Iraq and Afghanistan. Specifically, DOJ alleged that CHS stored patients’ protected health information (PHI) and personal identifiable information (PII) on an electronic medical record (EMR) system that was, at times, unsecured, in violation of express contractual requirements. CHS also allegedly failed to remediate these cybersecurity failures after its employees raised concerns that PHI and PII had inappropriately been stored and saved outside of the EMR system.

Further, DOJ asserted that CHS had falsely represented to the State Department and Air Force that the controlled substances it supplied to patients pursuant to the contracts were approved by the U.S. Food and Drug Administration (FDA) or European Medicines Agency (EMA). In fact, CHS lacked the necessary Drug Enforcement Agency license to export controlled substances and instead arranged for a South African shipping company to deliver controlled substances that were neither approved by the FDA or EMA. CHS then supplied those unapproved controlled substances to patients under the State Department and Air Force contracts.

Although the facts of this qui tam case fit into the framework of a typical procurement fraud FCA claim, albeit one involving a potential violation of the Health Insurance Portability and Accountability Act (HIPAA)[1], DOJ distinctly emphasized the role that cyber-related violations played in its decision to pursue enforcement against CHS. Although the qui tam relators alleged in their suits (filed in 2017 and 2019, five and three years (respectively) before the cyber-fraud initiative was announced) that CHS’s actions violated HIPAA, DOJ did not allege as much in the “Covered Conduct” section of the settlement Agreement, instead emphasizing the generalized failure to “provide a secure electronic medical record system to store all patients’ medical records, including the confidential identifying information of U.S. servicemembers, diplomats, officials, and contractors working and receiving medical care in Iraq.” Of particular interest, the press release quoted Principal Deputy Assistant Attorney General Boynton, the current acting head of the Civil Division: “This settlement demonstrates the Department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk. We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”

Clearly, DOJ was eager to announce a victory in its efforts to bolster cybersecurity and combat cyber fraud. Federal government contractors should anticipate the DOJ to highlight the role of cyber-related misrepresentations and violations in future FCA enforcement actions in furtherance of its Civil Cyber-Fraud Initiative, along with an increased focus on cybersecurity violations. Contractors should also appreciate that in this settlement, the associated $172,050 relators’ share that the United States agreed to pay the whistleblowers, and announcement of the same, were intended to serve as encouragement to whistleblowers to file qui tam actions under the FCA for cyber-related violations.

Please contact the authors if you have any questions about cybersecurity policies or the implications of the DOJ’s Cyber-Fraud Initiative in the FCA enforcement arena.

About McGuireWoods’ Government Investigations & White Collar Litigation Department

McGuireWoods’ Government Investigations & White Collar Litigation Department, which includes members of the Government Contracts and Data Privacy and Security teams, is a nationally recognized team of more than 80 attorneys representing Fortune 100 and other companies and individuals in the full range of civil and criminal investigations and enforcement matters, including litigation and action under the False Claims Act. Our False Claims Act team includes former federal prosecutors, and experienced civil and white collar criminal litigators with experience in this unique area of law. We also tap attorneys from the firm’s other practice groups and our subsidiary McGuireWoods Consulting LLC. Strategically centered in Washington, D.C., our Government Investigations & White Collar Litigation Department has been honored as a Law360 Practice Group of the Year and earned the trust of international companies and individuals through our representation in some of the most notable enforcement matters over the past decade. For more information on our False Claims Act practice, download our brochure: False Claims Act Investigations, Litigation and Enforcement.

[1] Section 1320d-6-d(a) of HIPAA criminalizes knowingly using, obtaining, or disclosing an individual’s identifiable health information without authorization. At least one court has held that a violation of Section 1320d-6-d(a) can result in FCA liability.