The DOJ’s Heightened Focus on the False Claims Act and Cybersecurity: Six Steps for Healthcare Providers to Implement to Stave Off Cybersecurity FCA Actions
In October 6, 2021, the Deputy General for the United States Department of Justice (“DOJ”) announced a new “Civil Cyber-Fraud Initiative” (the “Cyber-Fraud Initiative”) as part of the DOJ’s ongoing efforts to combat new and emerging cyber threats.[i] This Initiative includes the use of the Civil False Claims Act (“FCA”) to target cybersecurity related fraud involving false claims for federal funds and property involving government programs and operations.[ii]
The Cyber-Fraud Initiative and Health Care Providers. The Cyber-Fraud Initiative targets all government contractors and grant recipients who submit false claims involving government programs and operations.[iii] The broad reach of the Cyber-Fraud Initiative includes healthcare providers who submit claims to the federal health care programs in exchange for the provision of health care services to beneficiaries. As a result, although health care providers are already subject to various complex regulatory requirements including the Health Insurance Portability and Accountability Act (“HIPAA”) laws, they are also under the microscope of the DOJ and the onerous FCA laws – referred to as the DOJ’s “primary civil tool to redress false claims.”[iv]
Conduct Targeted by the Cyber-Fraud Initiative. The Cyber-Fraud Initiative has identified three main types of conduct the DOJ is targeting: 1) providers who knowingly provide deficient cybersecurity products or services, 2) providers who knowingly misrepresent cybersecurity practices or protocols, and 3) providers who knowingly violate obligations to monitor and report cybersecurity incidents and breaches.[v]
The First Two Cyber Fraud Settlements. By March of 2022, the DOJ announced the first settlement of a Cyber-Fraud case under the Initiative. A medical services contractor, Comprehensive Health Services LLC (CHS), located in Cape Canaveral, Florida, agreed to pay $930,000 to resolve allegations it violated the FCA by falsely representing it complied with requirements under federal contracts relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan.[vi] At issue was the alleged improper storage of medical records on an unsecured network. Specifically, the United States alleged that between 2012 and 2019, CHS failed to disclose it had stored some patient medical records on an unsecured system. When CHS staff saved medical records, staff saved some medical records on an internal network, which was accessible to non-medical staff. Even after concerns were raised within CHS about the privacy of the medical information, CHS allegedly did not take adequate steps to store the information exclusively in a secured medical records system.[vii]
The second Cyber-Fraud settlement occurred in July of 2022, and involved a company called Aerojet Rocketdyne Inc., headquartered in El Segundo, California. Aerojet, a company that provides propulsion and power systems for launch vehicles, missiles, satellites and other space vehicles, paid $9,000,000 to settle claims it misrepresented its compliance with cybersecurity requirements in federal contracts.
Applicability of Cyber-Fraud Initiative to Health Care Providers. The Cyber-Fraud Initiative extends to healthcare providers in a number of ways. First, as seen in the CHS settlement, a failure to ensure the security of medical records could lead not only to a potential HIPAA incident and/or breach, but if not handled correctly, could lead to a Cyber-Fraud investigation initiated by a FCA whistleblower or the DOJ or other federal prosecutor. This risk is compounded by multiple sources of potential compromise and the wide and varying sources of organizational “knowledge” such as business associates.
Going back to the three types of conduct the DOJ has identified in the Initiative, a healthcare provider who mishandles and/or fails to report cybersecurity incidents and breaches could be subject not only to HIPAA liability but also FCA prosecution and civil liability. This means that health care providers that do not maintain adequate privacy and cybersecurity compliance measures, mishandle or fail to protect the security of protected health information, and/or who fail to timely report a data breach may face both draconian HIPAA and FCA damages and penalties.
Six Steps for Healthcare Providers to Implement to Stave Off Cybersecurity FCA Actions.
- Understand All Applicable Cybersecurity Requirements. The first step in avoiding exposure to FCA actions is to make sure to understand all applicable HIPAA, privacy, and security requirements. If you are a healthcare provider submitting claims for reimbursement to federal healthcare programs, understanding the applicable HIPAA/Security laws is critical. Further, if you have entered into any federal contracts and/or grants, those agreements should be reviewed for additional privacy and cyber security obligations.
- Review Internal Cybersecurity Policies/Protocols and Incident/Breach Response Plans. Once you understand all applicable privacy and security laws and contract provisions, take the time to review and/or develop policies, procedures, and protocols governing compliance with the laws and provisions and ensure incident/breach response plans are comprehensive and reasonable. It is also imperative that you understand what your organization actually does with data, and in particular, PHI. Risk assessments and audits regularly identify inconsistencies between what healthcare organizations say they are doing and what they are actually doing with patient information.
- Assess Staff Competencies. As you assess the framework for compliance with applicable privacy and security laws and contract provisions, evaluate whether you have the correct staff in positions with responsibility for implementing, monitoring, and overseeing these compliance functions. Review the credentials and education of individuals assigned in these areas to make sure the staff can competently oversee the areas and coordinate these with role-based access controls.
- Review Operations of the General Compliance Program, Including Reporting Systems. As the DOJ keeps cyber-security as a key focus, the DOJ will continue to encourage FCA whistleblowers to come forth to report concerns and failings. Therefore, a key to minimizing FCA whistleblowers is to ensure you have a compliance infrastructure and culture that encourages internal reporting so that leadership and administration has the chance to address issues before the individuals report concerns to outside resources, like the DOJ or United States Attorney’s Office.
- Train Leadership, Administration, and Staff. Health care providers will want to ensure that everyone in the organization is well trained on HIPAA/security basics as well as incident reporting and internal reporting structures. In addition, leadership and administration should be well trained in identifying and implementing privacy/security systems and in handling reports of HIPAA incidents. Mock incident response training can also be very helpful in highlighting key roles and responsibilities before an actual situation arises.
- In addition to monitoring compliance within the health care provider, a provider who uses third-party vendors will want to review general vendor management programs, to ensure third-party vendors are vetted appropriately. In addition, providers will want to make sure there are robust specific privacy/security controls and incident reporting obligations in vendor contracts. These obligations extend to vendors involved with or being engaged as a result of business transactions and mergers or acquisitions.
If you need assistance with navigating the implications of the DOJ’s focus on cyber-security, conducting proactive steps to strengthen your internal privacy/security compliance systems, or defending against DOJ or other investigations, please reach out to Maynard Nexsen for assistance.
[i] Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative | OPA | Department of Justice
[vi] Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan | OPA | Department of Justice
About Maynard Nexsen
Maynard Nexsen is a full-service law ﬁrm with more than 550 attorneys in 24 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies.
Chief Marketing Officer