DOJ Kicks Off Civil Cyber-Fraud Initiative with $930,000 Settlement: What Government Contractors Need to Know

March.17.2022

The Department of Justice (DOJ)’s Civil Cyber-Fraud Initiative, less than six months old, just resolved the first case against Comprehensive Health Services (CHS). There are two critical takeaways for all organizations that do business with the government. First, DOJ pursued the FCA claim, despite there being no allegation that CHS’s medical record services were noncompliant; only that data supposed to be maintained exclusively in the electronic medical record system was also replicated outside that system and available without the same quality of cybersecurity protections. Second, the action was brought without any evidence of cyberattack. Bottom line, the $930,000 settlement is a reminder of the importance of robust cyber compliance in securing and performing government contracts and, in particular, identifying and responding to potential risk areas.

By way of background, in October 2021, DOJ launched the Civil Cyber-Fraud Initiative to use the False Claims Act and related “civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards[.]” The FCA prohibits knowingly submitting materially false claims for payment to the federal government. The goal of the Initiative is to leverage the FCA to target contractors that (1) knowingly provide deficient cybersecurity products or services, (2) knowingly misrepresent their cybersecurity practices or protocols, or (3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches.

Shortly after announcing the initiative, DOJ filed a Statement of Interest in U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings Inc.,^[1] similarly arguing that the submission of false claims for cybersecurity services can provide a basis for recovery, even if the underlying product or service (in that case rocketry) was not otherwise defective. DOJ also argued that incomplete disclosure of noncompliance to the federal government was not sufficient to absolve a contractor of false claims liability. The court subsequently adopted these positions.^[2]

On March 8, 2022, the DOJ settled two actions against CHS,^[3] alleging that CHS had not complied with the terms of its contract to provide medical support services to Department of State (DoS) facilities in Iraq—specifically. CHS billed DoS $485,866 for storing medical records in a secure Electronic Medical Record (EMR) system even though it knew staff regularly stored copies of medical records on a shared drive accessible to non-clinical staff. The Settlement also explains that staff members raised the issue to management and did not receive an adequate response from management.^[4] CHS agreed to pay $930,000 plus attorneys’ fees to resolve the claims without admitting fault.

While the settlement itself is not a game changer and is in line with DOJ’s earlier stated objectives, it is a reminder that legal cybersecurity risks exist even when there is no breach, and thus the importance of cybersecurity compliance processes both in the application for, and execution of, government contracts. This includes being particularly mindful of processes for identifying, escalating, and responding to identified risk areas. It also includes processes for multidirectional communication between security, legal, and compliance to align these teams on both the business’s legal obligations and its current security state. In line with the broader goals of the Civil Cyber-Fraud Initiative, government contractors should promptly, if they have not recently, evaluate their incident response processes to confirm they align with existing contractual obligations. Otherwise, they risk significant penalties under the FCA.

Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist government contractors in reviewing their cyber security programs in light of their contractual obligations and to conduct tabletop incident response exercises designed to avoid FCA liability.

^[1] No. 15-cv-2245, Dkt. 135 (E.D. Cal.)

^[2] Id. Dkt. 155.

^[3] , U.S. ex rel. Watkins et al. v. CHS Middle East LLC, No. 17-cv-4319 (E.D. N.Y.) and U.S. ex rel. Lawler v. Comprehensive Health Services, Inc., et al., No. 20-cv-698, Dkt. 26-1 (E.D. N.Y. Feb. 28, 2022).

^[4] Unrelated to cyber, the allegations also included that CHS submitted false claims concerning regulatory approval of some medications.

Authors

Thora Johnson Partner, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Joseph Walker Partner, White Collar, Investigations, Securities Litigation & Compliance, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 339 8565
E: [email protected]

Practice:

White Collar, Investigations, Securities Litigation & Compliance
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph Walker Partner

Washington, D.C.

In private practice, Joe represents companies and executives in FCPA internal investigations, enforcement actions, compliance and defense matters before the U.S. Securities and Exchange Commission (SEC), the Office of Foreign Assets Control (OFAC), the US Department of Justice (DOJ), the UK’s Serious Fraud Office and similar authorities. While at DOJ, Joe was a member of several task forces, including the Securities Fraud Task Force and DOJ’s Task Force into corruption allegations relating to the award of the Winter Olympics to Salt Lake City. Joe also acted as lead prosecutor on several high-profile matters, such as the first-ever joint FCPA enforcement action between the SEC and the DOJ against KPMG and Baker Hughes (which is now the template for FCPA enforcement); an insider trading matter against the former CFO of a waste removal company; and a tax fraud prosecution involving an executive of the U.S. Olympic Committee.

Joe provided counsel in high-profile matters, including leading the internal investigation for HealthSouth (relating to the first criminal indictment under the Sarbanes-Oxley Act); representing an executive for Credit Suisse under indictment for allegations related to tax evasion by U.S. citizens; working on notable FCPA investigations and representing financial institutions in enforcement matters with the Consumer Finance Protection Bureau and the Federal Deposit Insurance Corporation. Joe was appointed by the DOJ and the SEC to be the FCPA Compliance Monitor of Weatherford International Ltd., a large multinational corporation in the oil and gas industry, to monitor its FCPA Compliance Program in connection with a deferred prosecution agreement and settlement with those agencies. Joe has acted as Counsel to the monitor for FCA US LLC in the first-ever appointment of a monitorship by the Department of Transportation’s National Highway Traffic Safety Administration.

Joe also represents boards of directors, audit committees, officers, senior management and employees of global corporations in enforcement and criminal matters around the world and he frequently conducts internal investigations and due diligence for global clients. Such matters have included allegations of, FCPA violations, healthcare fraud, qui tam and False Claims Act actions, insider trading and similar matters. These matters have included such locations as Brazil, China, France, India, Indonesia, Korea, Kyrgyzstan, Malaysia, Nigeria, Pakistan, the Philippines, Russia, Singapore, Switzerland, Thailand, Turkestan, Turkmenistan, the UK, the United Arab Emirates and Uzbekistan.