The Department of Justice unveiled its Cyber-Fraud Initiative in October 2021, announcing that it planned to use its civil fraud enforcement authority under the False Claims Act to ensure compliance with contractual cyber-security requirements applicable to government contractors. On March 8, 2022, the DOJ followed through with an announcement that Comprehensive Health Services, LLC (“CHS”) had agreed to pay $930,000 to resolve allegations that it violated the False Claims Act. The settlement marked “the Department of Justice’s first resolution of a False Claims Act case involving cyber fraud since the launch of the department’s Civil Cyber-Fraud Initiative,” which aims to combine the department’s “expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”
According to the allegations, CHS had a contractual obligation to store patients’ medical records in a secure electronic medical record system, but between 2012 and 2019, CHS failed to disclose to the government that it had not consistently stored patients’ medical records on a secure system because its employees occasionally saved and left scanned copies of records on an internal network drive, which was accessible to non-clinical staff.
While the facts and the settlement amount are not particularly remarkable, the DOJ’s settlement is noteworthy for a couple of reasons. First, this case did not involve a violation of the standard FAR or DFARS clauses governing cyber compliance requirements, which indicates that the DOJ is taking a very broad view regarding what cyber-related contractual violations constitute fraud. Second, the case demonstrates the DOJ’s willingness to devote resources to enforcing cyber-related contract violations under the False Claims Act, even when the alleged facts are not particularly egregious. Finally, the DOJ has openly stated that it hopes publicizing its cyber-fraud initiative will encourage whistleblowers to bring cyber-related cases under the False Claims Act qui tam provisions. The DOJ’s announcement suggests that it will continue to encourage whistleblowers to report cyber-related violations.