Yesterday DOJ announced its first settlement under the Department’s new “Cyber-Fraud Initiative.” This initiative, announced in October 2021, aims to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.” However, as discussed further here, in addition to targeting traditional government contractors, the initiative presents broader opportunities for DOJ to use the FCA to address data protection practices by healthcare providers.
The healthcare industry is consistently the recipient of disproportionate oversight under the FCA, and thus it is perhaps no surprise that DOJ’s first settlement under the Cyber-Fraud Initiative was with a healthcare provider. As announced here, a healthcare provider furnishing medical services on air force bases paid $930,000 to resolve allegations that it “violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services.” The settlement also resolved allegations relating to controlled substances.
Aside from being the first Cyber-Fraud Initiative settlement, the resolution is also notable because it is based on a broad conception of cybersecurity; the alleged misconduct did not involve flaws with the cybersecurity system in place, but rather resulted from allegedly lax data protection practices through the defendant’s failure to “consistently store patients’ medical records on a secure [electronic medical record] EMR system.” DOJ’s press release also never states that the defendant violated a particular contractual requirement involving data protection. Instead, DOJ notes that the defendant “submitted claims to the State Department for the cost of a[n] [EMR] system to store all patients’ medical records” and then failed to consistently use the system for which they were billing the government. Thus, the government seems to be proceeding on a theory that the claims submitted for the cost of the EMR system were false, because the defendant implied it was consistently using that EMR system when it was not.
This settlement demonstrates how DOJ may begin to creatively pursue FCA theories of liability against healthcare providers based on criticisms of their data protection practices, even when providers are under no specific contractual obligations—from federal healthcare programs or otherwise—relating to cybersecurity.