Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages the False Claims Act (“FCA”) to prosecute, in part, government contractors and federal grant recipients for cybersecurity-related fraud.

The CCFI secured its first settlement in March 2022 in the Eastern District of New York. Comprehensive Health Services (“CHS”) of Cape Canaveral, Florida, agreed to pay $930,000 to resolve allegations that it violated the FCA by falsely representing compliance with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. In the settlement agreement, DOJ specifically alleged that CHS failed to store medical records on a secure electronic medical record system.  According to DOJ some of the medical records were saved to an unsecured internal network drive and improperly made accessible to non-clinical staff. According to DOJ, this constituted a direct violation of government contractual requirements and raised numerous privacy concerns. In announcing the settlement, DOJ reiterated its priority to curb cybersecurity violations that place “confidential medical records risk.”

About four months after its resolution with CHS, DOJ announced that a defense contractor agreed to pay $9 million to resolve allegations that it violated the FCA by allegedly misrepresenting its compliance with cybersecurity requirements in certain federal government contracts, including contracts with the Department of Defense and NASA.

The CCFI aims to hold government contractors and grant recipients accountable under the FCA for violations involving cybersecurity-related fraud. Specifically, the CCFI is focusing its enforcement efforts on individuals and entities that knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate their obligations to monitor and report cybersecurity incidents and breaches within the applicable timelines.

Since 1986, DOJ’s Civil Fraud Section has recovered over $70 billion in FCA settlements and judgments, including over $5.6 billion in 2021 alone—the second largest annual recovery in its history. Indeed, DOJ’s creation of the CCFI—which drastically expands the potential liability of government contractors, grant recipients, and other health care providers participating in federal health care programs—signals that the government seeks to continue enforcing the FCA by focusing on data privacy and cybersecurity violations.

DOJ’sresolutions stemmed from actions brought by whistleblowers under the qui tam provisions of the FCA. These provisions allow private parties to file actions on behalf of the United States and to receive a portion of any settlement agreement in which the United States recovers damages, assessments, and/or penalties. The FCA is especially forceful due to its treble damages provision—enabling the government to recover up to three times the amount of the alleged loss to the federal government, in addition to attorney’s fees and costs. Consequently, qui tam relators—who are entitled to between 15 and 30 percent of the total damages recovered by the federal government—will likely be highly motivated to come forward with evidence of cybersecurity failures, especially those placing protected health information (“PHI”) at risk. As such, DOJ’s enforcement activity under its CCFI stands to significantly benefit the plaintiff’s bar as employees become increasingly motivated to report their employers to the federal government for alleged FCA violations, including those relating to cybersecurity and data privacy.

In promoting the work of CCFI, DOJ’s Principal Deputy Assistant Attorney General has emphasized that whistleblowers with “inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct.” DOJ will likely increasingly rely on whistleblowers to contribute to civil enforcement of cybersecurity requirements via the FCA.

Additionally, the CCFI will likely to continue to leverage the false certification theory of liability to trigger FCA liability. For example, FCA liability may be imposed if a government contractor misrepresents its cybersecurity compliance to the federal government by knowingly or recklessly disregarding cybersecurity requirements set forth in a federal government contract. Furthermore, misrepresentations regarding a contractor’s cybersecurity protocols, including those delineating cyber threat preparedness, may expose a contractor to FCA liability even if the misrepresentations occur outside of an executed contract. Such contexts include contract proposals and correspondence with federal government staff relating to contemplated or executed contracts. Entities must therefore strictly adhere to the Solicitation Provisions and Contract Clauses sections of the applicable Federal Acquisition Regulations (“FAR”). Similarly defense contractors adhere  to the certifications of compliance with cybersecurity regulations set forth in the Defense Federal Acquisition Supplement (“DFARS”). See also 31 U.S.C. § 3729.

DOJ’s CCFI enforcement efforts also implicate the potential liability of covered entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While the United States Department of Health and Human Services, Office for Civil Rights (“OCR”), has traditionally enforced compliance of the HIPAA Privacy and Security Rules, and while alleged violations of HIPAA have not traditionally provided bases for FCA actions or resolutions, investigations have increasingly intersected with cybersecurity matters, including data breaches involving PHI, when privacy and security measures are required under the applicable FAR and/or government contracts.  Consequently, coordination and cooperation between the CCFI and OCR is likely as the FCA becomes yet another instrument in the federal government’s HIPAA enforcement repertoire.

Government contractors and grant recipients, as well as other participants in federal health care programs, should expect increased enforcement of cybersecurity-related fraud under the FCA. Furthermore, as a result of the DOJ’s creation of CCFI, the FCA may now be leveraged as a privacy- and security-related enforcement tool where cybersecurity violations are involved, which may include data breaches involving PHI and other sensitive personal information. Participants in federal health care programs are expected to conduct comprehensive internal audits/reviews of their technical safeguards to ensure simultaneous compliance with cybersecurity-related government contract provisions and the applicable privacy- and security-related requirements.

*      *     *     *     *     *

Special thanks to summer associates, Sarah Ghivizzani and Michael J. Menconi for their contributions to this post.