DOJ continues its pursuit of cybersecurity fraud under the Civil Cyber-Fraud Initiative
On October 6, 2021, Deputy Attorney General Lisa O. Monaco of the Department of Justice (DOJ) announced, the Department of Justice (DOJ) announced a Civil Cyber-Fraud Initiative aimed at leveraging the False Claims Act (FCA) to target cybersecurity-related fraud conducted by government contractors and federal grant recipients.[1] The initiative signaled a focus on improving cybersecurity across the government, public sector, and industry, by securing significant recoveries to reimburse the government and taxpayers for losses incurred.
At the same time, there has also been an even greater uptick in whistleblowers seeking to hold contractors and grantees accountable under the FCA for alleged failures to comply with their cybersecurity obligations under federal contracts. The increase in both public and private enforcement of the FCA relating to cybersecurity – in combination with the growing number of federal agencies implementing their unique cybersecurity requirements for federal contracts – means that federal contractors and grantees will need to implement robust compliance initiatives in this area.
Recent Settlements and Actions
DOJ’s first settlement of 2023 resolved allegations that a design firm, Jelly Bean Communications Design, and its manager failed to secure personal information on a federally funded children’s health insurance website.[3] Jelly Bean had contracted with a Florida state entity funded through Medicaid to create, host, and maintain a website that was required to apply protections for personal information imposed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. DOJ alleged that, from 2014 to 2020, contrary to its contractual representations and invoices, Jelly Bean did not provide secure hosting of personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying its websites. By December 2020, more than 500,000 applications submitted on the website were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. In light of the cyber failures and risk to sensitive data, DOJ pursued remedies under the FCA, eventually leading to a settlement for $293,771 in March of 2023.
The second settlement of 2023 resolved allegations that a communications contractor failed to completely satisfy certain contractually required cybersecurity controls in connection with an information technology service provided to federal agencies between 2017 and 2021.[4] After learning of the issues, the firm initiated an independent investigation and compliance review, and under voluntary self-disclosure protocols, provided the government with multiple, detailed supplemental written disclosures. Factoring in the contractor’s voluntary disclosure, investigation, and remediation, the government determined that the contractor was entitled to credit for cooperating and settled the case for over $4 million.
Last year also saw the unsealing of qui tam actions relating to allegations of non-compliance with cybersecurity obligations at academic institutions with government contracts for research, demonstrating that contractors and grantees can become easy targets for whistleblowers. Federal contractors and grantees should be mindful of the incentives for whistleblowers to come forward, especially those privy to a company’s cybersecurity obligations and practices.
Avenues for Enforcement Against Government Contractors and Grantees
As demonstrated by the most recent settlements, government contractors and grantees are subject to increased scrutiny of their compliance with cybersecurity requirements, as well as enforcement actions based on alleged failures to meet those obligations. These settlements further underscore concerns that what may have been viewed as a breach of contract actions in the past have now shifted into the FCA realm because of the cybersecurity certifications required in government contracts.
Government contractors and grantees may already find themselves subject to cybersecurity requirements requiring substantial investments in data security infrastructure that meets specific standards, including the Federal Acquisition Regulation’s (FAR) basic safeguarding clause at 52.204-21 and the Department of Defense’s (DoD) safeguarding and cyber incident reporting requirements in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Other agencies have recently implemented their unique cybersecurity requirements for contractors. The Department of Homeland Security (DHS), for instance, implemented a new Homeland Security Acquisition Regulation (HSAR) clause 3052.204-72, Safeguarding of Controlled Unclassified Information (Jul 2023), which requires contractors and subcontractors to provide adequate security to protect Controlled Unclassified Information (CUI) from unauthorized access and disclosure and to report all known or suspected incidents within one hour if the incident involves personally identifiable information (PII) and eight hours for all other incidents.[5]
The Department of Veterans Affairs (VA) implemented a new clause, VA Acquisition Regulation (VAAR) 852.204-71, Information and Information Systems Security (Feb 2023), requiring contractors and others with access to VA information, information systems, or information technology (IT), or providing and accessing IT-related goods and services, to adhere to VA Directive 6500, VA Cybersecurity Program, as well as those outlined in the contract specifications, statement of work, or performance work statement.[6] Like the DHS clause, the VA clause also imposes a one-hour notification requirement, in this case for an incident that (i) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of its data and operations, or of its information or information system(s); or (ii) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. As agencies continue to implement either overlapping or conflicting cybersecurity requirements, the compliance burdens increase and the risk of running afoul of such requirements can also increase, making these areas ripe for scrutiny by the Federal government and whistleblowers.
In October 2023, two amendments to the FAR were proposed[7] to implement portions of President Biden’s May 2021 Executive Order (EO) No. 14,028, Improving the Nation’s Cybersecurity.[8] The first rule would standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems (FIS). Recognizing the importance of securing FIS – whether cloud-based, on-premises, or a hybrid of the two – the proposed rule sets out in great detail cybersecurity policies, procedures, and requirements applicable to contractors that develop, implement, operate, or maintain a FIS.[9] The second rule would require government contractors across all Federal agencies to share information about cyber threats, report cyber incidents, and make representations that they have submitted all security incident reports in a current, accurate, and complete manner.[10] Consistent with the government’s focus on scrutinizing cybersecurity noncompliance in terms of fraud, both rules state that compliance with the cybersecurity requirements “is material to eligibility and payment under Government contracts.”[11] This broad statement appears to capture the government’s position that every aspect of the proposed rules is “material” for FCA purposes, despite the Supreme Court’s decision in Universal Health Services, Inc. v. ex rel. Escobar, 579 U.S. 176, 191 (2016), confirming that the FCA is not a “vehicle for punishing garden-variety breaches of contract or regulatory violations.”[12]
Lastly, DoD released its proposed rule in December of 2023 for updating the Cybersecurity Maturity Model Certification (CMMC) program.[13] As confirmed by the rule, DoD anticipates the use of self-attestation, third-party certification, and government-led assessments for cybersecurity compliance. When the certification process begins or is renewed, it is possible that third-party certifiers or DoD may uncover inconsistencies between their assessment and a contractor’s assessment of its security controls. Should the validity of a contractor’s assessment later be questioned, it could leave the contractor vulnerable to a whistleblower claim that alleged false or reckless representations made in the self-assessment caused false claims to be made.
Liability for Health Care-Related Breaches
Recent DOJ enforcement actions also put healthcare institutions that participate in federal healthcare programs in the crosshairs. Healthcare institutions are subject to additional scrutiny because of their unique compliance requirements and may face enforcement actions based on alleged failures to meet those obligations. HIPAA is one important potential source of FCA liability for healthcare institutions.[14] The HIPAA Security Rule requires healthcare providers to safeguard against anticipated threats to the security of the protected health information they maintain, including conducting risk assessments to determine threats and implementing security measures to protect against those threats.[15] The Breach Notification Rule imposes additional notification requirements in the event of a breach of covered entities and their business associates.[16] Threat actors have targeted health information with increasing sophistication as health information has become a valuable commodity.[17]
Two recent FCA settlements involving alleged violations of cybersecurity-related HIPAA obligations demonstrate the importance for industry professionals of understanding and proactively addressing these obligations. First, the Jelly Bean settlement, discussed above, shows the dangers of HIPAA non-compliance specifically when dealing with federal or state funds. Second, the DOJ’s March 2022 settlement with Comprehensive Health Services LLC (CHS) – the first settlement under the Civil Cyber-Fraud Initiative – shows that HIPAA-related false claims may be a point of emphasis under the initiative.
That case involved allegations that although the government paid for a secure electronic medical record system to store patients' medical records, CHS instead stored certain personally identifiable information on an internal network drive that was accessible to nonclinical staff – in violation of its HIPAA obligations. CHS settled the case for $930,000.[18] The head of DOJ’s Civil Division, Principal Deputy Assistant Attorney General Brian M. Boynton, noted that “[t]his settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk.”[19]
Looking Ahead
The recent DOJ settlements and ongoing qui tam actions confirm that the number of enforcement actions will continue to increase. Contractors and grantees should brace for additional scrutiny and potential whistleblower claims in this area and carefully track fast-evolving cybersecurity rules and regulations, prioritizing related compliance efforts.
Jasmeet K. Ahuja is one of Hogan Lovells’ lead New York and Pennsylvania litigators when complex matters of data privacy and protection result in class action litigation and regulatory enforcement.
As an engineer with years spent working in the heart of our government's national security apparatus, Jasmeet brings both substantive and practical experience to her practice counseling clients, calmly steering them through their most vulnerable moments.
From navigating the difficult terrain that follows a cyber security incident to advising on the development of secure software applications, Jasmeet works with start-ups and Fortune 500 companies alike. She also counsels companies facing complex antitrust investigations, leveraging her background in government to proactively advise clients on the most efficient way to address regulator questions. When litigation is unavoidable, Jasmeet stands ready to be an advocate and problem-solver.
With a background in the aerospace and defense industry, Stacy Hadeka is a partner with Hogan Lovells and has a deep understanding of government contract issues impacting sector clients.
Stacy's practice encompasses all areas of government contracting, with a focus on matters of compliance, investigations and disclosure obligations, transactional due diligence, and bid protest litigation. She assists clients in manning complex government regulatory requirements in the areas of schedule contracting, cybersecurity, the supply chain, and domestic preferences. She also counsels clients on contract formation and administration.
Prior to joining Hogan Lovells, Stacy gained insight into the industry while working as in-house counsel for a major defense contractor and a commercial subsidiary with sales to the federal government. In her role, she supported the business by assisting with matters of compliance, ethics, and litigation. Stacy also clerked with the Civilian Board of Contract Appeals where she assisted with government contract claims and alternative dispute resolution.
Stacy received her J.D. from Boston College Law School and attended The George Washington University Law School for her LL.M. in Government Procurement. Through the LL.M. program, she deepened her knowledge and strengthened her skills associated with the practice of government contracts law.
References
[1] See Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, U.S. Dep’t of Justice (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
[2] The prior year, DOJ settled FCA allegations against a medical services contractor for $930,000 and touted an aerospace and defense contractor’s FCA settlement for $9 million. See https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical; https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity.
[3] See https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability.
[4] See https://www.justice.gov/opa/pr/cooperating-federal-contractor-resolves-liability-alleged-false-claims-caused-failure-fully.
[5] 88 Fed. Reg. 40,560 (June 21, 2023).
[6] 88 Fed. Reg. 4,739 (Jan. 25, 2023).
[7] 88 Fed. Reg. 68,055 (Oct. 3, 2023); 88 Fed. Reg. 68,402 (Oct. 3, 2023).
[8] See the Executive Order previously discussed here.
[9] See proposed FAR clauses FAR 52.239-XX and 52.239-YY.
[10] See proposed FAR clauses FAR 52.239-ZZ and 52.239-AA.
[11] 88 Fed. Reg. at 68,403; 88 Fed. Reg. at 68,055.
[12] Id. at 194.
[13] 88 Fed. Reg. 89058 (Dec. 26, 2023).
[14] Healthcare institutions may be held liable under the FCA for claims made while noncompliant with HIPAA under what is known as “implied certification” liability. This arises when the institution represents, potentially even implicitly, that it is compliant with HIPAA and its failure to disclose noncompliance was misleading. In Universal Health Servs., Inc. v. United States, 579 U.S. 176, 190 (2016), the Supreme Court unanimously held that the “implied certification theory can be a basis for liability, at least where two conditions are satisfied: first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant's failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.”
[15] 45 C.F.R. §§ 164.302 - 164.318; see also https://www.hhs.gov/hipaa/forprofessionals/security/laws-regulations/index.html.
[16] 45 C.F.R. §§ 164.400 - 164.414.
[17] See https://www.hhs.gov/sites/default/files/types-threat-actors-threaten-healthcare.pdf.
[18] See https://www.justice.gov/opa/press-release/file/1480816/download.
[19] See https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability