The DOJ’s Focus on Clinical Trial Enforcement: An Ounce of Prevention Is Better Than an Enforcement Action Cure

Introduction

In early April, the U.S. Department of Justice (DOJ) Civil Division’s Consumer Protection Branch (CPB) published its first-ever “Recent Highlights” report. The report provides background on the CPB, highlights from its recent work and discusses the CPB’s enforcement priorities.

The report leads with the CPB’s work on consumer health and safety matters, highlighting a subset of the CPB’s work relating to clinical trial fraud. Not only is clinical trial fraud, as noted in the report, an enforcement priority for the CPB, these cases are worth further attention because they frequently involve federal funds, raising the risk of an investigation, government enforcement action or private whistleblower suit under the False Claims Act (FCA). And clinical trials are closely tied to other federal enforcement priorities, including the DOJ’s interests in corporate misconduct, particularly for health care and medical device companies that may have received COVID-related funds, corresponding individual accountability, and the DOJ’s new FCA-based civil cyber-fraud initiative. Companies, academic institutions, research organizations and individuals involved in, or that rely on, clinical trials should be proactive about managing related risks, including updating policies and controls for issues such as cybersecurity and data privacy.

The CPB

The CPB has the authority to initiate civil and criminal actions, as well as represent various federal agencies in defensive litigation. The CPB report touts that between October 2020 and December 2021, they brought cases against over 200 individual defendants, secured 17 corporate guilty pleas, entered into five corporate deferred prosecution agreements and resolved 29 corporate civil matters. Across its matters in the past year, the CPB recovered over $6.38 billion dollars in resolutions and judgments.

Clinical Trial Fraud

While speaking about the CPB’s priorities, Deputy Assistant Attorney General Arun G. Rao, who oversees the CPB, highlighted clinical trial fraud as a key topic for future enforcement efforts. He referenced two recent clinical trial fraud cases, saying these CPB matters “represent only a sample of the CPB’s clinical trial fraud enforcement efforts, and we expect to bring further actions in the coming months.” He went on to explain how clinical trial fraud can harm the public’s trust in testing and the U.S. Food and Drug Administration (FDA) approval process, as perpetrators “are trafficking in misinformation, leading consumers to put faith in falsehoods instead of sound medical treatments that have been scientifically proven to be safe and effective.”

The CPB’s recent highlights report similarly emphasized that its allegations “often” include clinical trial fraud and provided details for two recent enforcement actions.

• Unlimited Medical Research: Last year, several employees and the co-owner of a company known as Unlimited Medical Research LLC (UMR), pleaded guilty to conspiracy to commit wire fraud and obstruction of justice stemming from a fraudulent clinical trial. The defendants admitted entering into an agreement with a contract research organization (CRO) to conduct a study, but then inventing records of clinical trial participation. The clinical investigator and co-owner of UMR, a physician, had patients at her medical practice sign informed consent paperwork, but others then fabricated the follow-up contact and clinical trial data. A global pharmaceutical company that sponsored this study, including developing the protocol for the clinical trial, raised concerns after the CRO flagged irregularities in UMR’s data. The clinical investigator and her two study coordinators pleaded guilty and were sentenced to prison. A co-owner of UMR was separately charged for obstructing an FDA inspection and investigation into these issues and is scheduled for sentencing later this month. The company sponsoring the trial was not charged.
• Tellus Clinical Research: In June 2021, a sub-investigator and an assistant study coordinator at Tellus Clinical Research each pleaded guilty to participating in a conspiracy in connection with falsifying clinical trial data. In October 2021, the project manager pleaded guilty to conspiracy to commit mail and wire fraud. They, along with others at Tellus including the CEO, made it seem as if subjects were participating in clinical trials when, in fact, they were not. This included enrolling ineligible friends, family members and others who did not suffer from the relevant medical conditions including using personal identification documents. They went as far as to draw blood from other Tellus employees and submit it as study samples and create other false records of the purported subjects’ experience. To date, three defendants pleaded guilty to charges including conspiracy to commit mail and wire fraud and conspiracy to defraud the United States. They were sentenced to prison and ordered to pay over $2 million in restitution, while three remaining defendants, including Tellus’ CEO, await trial. Again, the sponsor was not charged.

What This Enforcement Priority Means for Companies Involved in Clinical Trials

While these “highlight” cases focused on individuals who engaged in egregious misconduct (not on the study sponsors or CROs), they serve as a warning to everyone involved in clinical trials.

Companies involved in clinical trials should:

• Ensure they are following all relevant requirements, including data handing protocols related to blinded studies, monitor risks consistent with their obligations and flag concerns about the data, where appropriate.

Given the prevalence of federal funding in medical research, companies engaged in such work may make submissions to the government and/or claims for reimbursement. Any misrepresentation in that process may constitute a “false” claim and result in FCA liability. As a civil statute, the FCA requires a more limited showing of intent, meaning the government may pursue cases where the falsehood resulted from “deliberate ignorance” or “reckless disregard.” Thus, a party not involved in the underlying misconduct could potentially be liable under the FCA for ignoring red flags relating to the trials or data.^[i] It is not beyond the possibility that sponsors, CROs or others affiliated with the tainted clinical trials—like those in the two CPB-highlight cases—could find themselves facing FCA investigations where if they were aware of issues and then failed to investigate or report. Companies that engage in clinical trial work at any level, even as sponsor relying on others, should take care to fully understand their obligations in connection with any government funding and be vigilant when issues arise.

• Have strong data governance. As evidenced by the two CPB-highlight cases, clinical trials also raise distinct cyber and data privacy risks.

The UMR and Tellus defendants could have also faced consequences for potentially violating HIPAA, committing identity theft, and failing to follow protocols and requirements relating to data privacy. The latter itself raises the possibility of an FCA action under the DOJ’s civil cyber-fraud initiative. As Orrick previously covered, the DOJ recently resolved an FCA case with a settlement focused on federal contractors’ failure to follow cybersecurity standards. As many clinical trials involve government funds and given the wealth of regulated patient and other data involved, these matters raise numerous data-based risks. As just one example, recipients of research funds from the National Institutes of Health (NIH) are generally required to take steps such as encrypting sensitive data, limiting access to personally identifiable information (PII), transmitting data only when the security of the recipient is known, and protecting information from inadvertent loss, release or disclosure. In both the UMR and Tellus cases, the broad misuse of PII and other misconduct may have violated any such applicable requirements.

As clinical trial fraud enforcement efforts increase, health care and life sciences companies who participate in clinical trials should be careful about their obligations and consider how they can strengthen related policies and processes — particularly concerning data privacy and cyber-fraud risks.

Orrick can assist health care and life sciences companies in reviewing their internal controls, vetting potential partners, managing data privacy and cyber fraud risks, and investigating any incidents that may arise.