Mar 92022

DOJ’s First “Cyber-Fraud” Settlement Targets Healthcare Provider

Jaime L.M. Jones and Brenna E. Jenny
, , ,

Yesterday DOJ announced its first settlement under the Department’s new “Cyber-Fraud Initiative.”  This initiative, announced in October 2021, aims to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.”  However, as discussed further here, in addition to targeting traditional government contractors, the initiative presents broader opportunities for DOJ to use the FCA to address data protection practices by healthcare providers.

The healthcare industry is consistently the recipient of disproportionate oversight under the FCA, and thus it is perhaps no surprise that DOJ’s first settlement under the Cyber-Fraud Initiative was with a healthcare provider.  As announced here, a healthcare provider furnishing medical services on air force bases paid $930,000 to resolve allegations that it “violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services.”  The settlement also resolved allegations relating to controlled substances.

Aside from being the first Cyber-Fraud Initiative settlement, the resolution is also notable because it is based on a broad conception of cybersecurity; the alleged misconduct did not involve flaws with the cybersecurity system in place, but rather resulted from allegedly lax data protection practices through the defendant’s failure to “consistently store[] patients’ medical records on a secure [electronic medical record] EMR system.”  DOJ’s press release also never states that the defendant violated a particular contractual requirement involving data protection.  Instead, DOJ notes that the defendant “submitted claims to the State Department for the cost of a[n] [EMR] system to store all patients’ medical records” and then failed to consistently use the system for which they were billing the government.  Thus, the government seems to be proceeding on a theory that the claims submitted for the cost of the EMR system were false, because the defendant implied it was consistently using that EMR system when it was not.

This settlement demonstrates how DOJ may begin to creatively pursue FCA theories of liability against healthcare providers based on criticisms of their data protection practices, even when providers are under no specific contractual obligations—from federal healthcare programs or otherwise—relating to cybersecurity.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Jaime L.M. Jones

Chicago

jaime.jones@sidley.com

Brenna E. Jenny

Washington, D.C.

bjenny@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.

EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.