The inexorable growth of the False Claims Act (“FCA”) to cowl nearly all forms of cybersecurity breaches and violations – to incorporate allegedly poor practices and failure to completely adhere to safety controls – continues. At one time, a company may need thought that it was unlikely to face a possible FCA investigation and litigation regarding its cybersecurity practices. That day is long gone. Two current FCA settlements illustrate the growth: one is the primary cybersecurity FCA settlement regarding healthcare High quality System Rules (“QSR”) and the opposite includes the primary settlement with a protection contractor that additionally pulls in its non-public fairness proprietor.
A Transient Historical past of FCA Cybersecurity Enforcement
4 years in the past, the Division of Justice (“DOJ”) introduced a Civil Cyber-Fraud Initiative that will, amongst different issues, make the most of the False Claims Act to pursue cybersecurity associated fraud by authorities contractors and grant recipients. As one in every of our co-authors wrote on the time, we anticipated the Initiative to “create extra stress for corporations to commit substantial assets to cybersecurity compliance” (particulars right here) and lead to a substantial improve in FCA instances. Quickly thereafter, DOJ entered right into a settlement regarding a telecommunications firm’s alleged failure to “fulfill sure cybersecurity controls in reference to an info expertise service offered to federal companies” (particulars right here) adopted by a pair of instances involving universities (particulars right here and right here).
Whereas these (and different) FCA instances had been being investigated, litigated and settled, authorities companies continued to roll out new cybersecurity rules and steerage. For instance, the Division of Protection issued new rules regarding cybersecurity (particulars right here), DOJ rolled out a brand new Information Safety Program (particulars right here), and the U.S. Division of Well being and Human Providers (“HHS”) proposed amendments to HIPAA’s safety rule (particulars right here). States had been additionally lively; for instance, New York now has cybersecurity necessities for hospitals (particulars right here). And even the White Home has issued an Govt Order regarding cybersecurity (particulars right here).
In opposition to this lively regulatory and enforcement backdrop, two lately introduced settlements illustrate the continued growth of the FCA into all kinds of cybersecurity issues.
$1.75m FCA Settlement with Protection Contractor and Non-public Fairness Agency
DOJ lately introduced an FCA settlement with a protection contractor and a non-public fairness firm. Particularly, the settlement of $1.75m resolves legal responsibility for (1) failure to implement Nationwide Institute of Requirements and Expertise (“NIST”) Particular Publication (“SP”) 800-171 cybersecurity controls as required by Division of Protection (“DoD”) acquisition rules (DFARS 252.204-7012) from January 2018 to February 2020 and (2) failure to manage move of and entry to Managed Unclassified Info (“CUI”) from June 2019 to July 2019. The cybersecurity necessities stem from the protection contractor’s contract with the Division of the Air Pressure.
The settlement acknowledged that each the contractor and its non-public fairness investor “took vital steps entitling them to credit score for cooperating with the federal government.” Particularly, the contractor submitted two written disclosures concerning the cybersecurity non-compliance and each entities cooperated with the Authorities’s investigation. The settlement credited them pursuant to the DOJ’s Justice Guide § 4-4.112 for the disclosure, cooperation, and remediation actions.
Notably, this settlement included the non-public fairness agency in addition to the portfolio firm (the protection contractor). During the last a number of years, along with an elevated give attention to cybersecurity, DOJ has additionally elevated its give attention to making use of the FCA to personal fairness corporations (particulars right here and right here). This settlement is the inevitable merging of those two tendencies.
$9.8m FCA Settlement with A Medical Machine Firm
DOJ additionally lately introduced a $9.8 million FCA settlement with a biotechnology firm within the genetic testing trade. The settlement resolved allegations that the corporate violated the FCA by promoting genomic sequencing programs to the federal authorities that contained cybersecurity vulnerabilities from February 2016 to September 2023. Within the settlement settlement, the corporate denied the allegations and didn’t admit legal responsibility. The whistleblower obtained a $1.9m share of the settlement.
The federal government alleged that the merchandise, which have the power to entry and manipulate HIPAA-protected affected person genomic information, contained cybersecurity vulnerabilities and the corporate lacked an ample safety program to establish such vulnerabilities. The allegations stem from the U.S. Meals and Drug Administration rules for medical units – its QSR. Oddly, DOJ doesn’t explicitly cite the QSR as the premise for the alleged falsity of the claims, however seems to suggest {that a} QSR failure in-and-of-itself ends in FCA legal responsibility if it causes cybersecurity deficiencies (even and not using a breach) that due to this fact ends in false representations to a authorities company concerning cybersecurity compliance. This seems to be the primary FCA case involving the QSR and the primary cybersecurity case involving a medical machine firm.
When All You Have Is A Hammer, Every thing Seems to be Like A Nail
It’s no secret that DOJ loves the FCA. Amongst different issues, the potential of treble damages and per declare penalties (that can now exceed $28,000 per declare) offers for doubtlessly devastating financial penalties. This in flip offers DOJ vital leverage in FCA instances—leverage it lacks with different civil enforcement instruments. Thus, it isn’t stunning that FCA claims and settlement values proceed to rise. In fiscal 12 months 2024, FCA settlements and judgments total exceeded $2.9 billion with 558 settlements and judgements.
Because the inception of DOJ’s Civil Cyber-Fraud Initiative in October 2021, the DOJ has continued to pursue cybersecurity fraud allegations beneath the FCA and these settlements proof the broadening of cybersecurity FCA instances to medical machine corporations in addition to non-public fairness corporations. As Brett Shumate, Assistant Legal professional Normal of the Division’s Civil Division, acknowledged within the settlement press launch: “[c]ompanies that promote merchandise to the federal authorities can be held accountable for failing to stick to cybersecurity requirements and defending towards cybersecurity dangers.” We count on that scrutiny can be better for entities that deal with non-public and delicate info, comparable to medical information, genomic information, or CUI.
Furthermore, whereas healthcare has traditionally been an enforcement precedence of the Division and its collaboration with HHS is longstanding, simply final month, DOJ upped the ante by asserting the reformation of the DOJ-HHS False Claims Act Working Group, which is able to prioritize investigations into a number of areas, together with “materially faulty medical units.” Simply as DOJ’s Civil Cyber-Fraud Initiative has resulted in a rise in cybersecurity FCA instances, we count on that the reformation of the Working Group will lead to extra healthcare and medical machine FCA instances. Moreover, it’s sure these efforts will overlap and there can be a rise in healthcare cybersecurity instances.
Cybersecurity Concerns Going Ahead
Medical machine corporations, authorities contractors, and all healthcare entities topic to cybersecurity rules ought to proceed to prioritize a sturdy cybersecurity compliance program, with an emphasis on proactive remediation of any recognized cybersecurity lapses, self-disclosure, and Authorities cooperation. Organizations ought to take into account common assessment of cybersecurity practices and programs, particularly the place delicate well being and/or nationwide safety info is concerned in addition to guaranteeing the continued accuracy of all representations to authorities companies and clients regarding cybersecurity.