On March 8, 2022, the Department of Justice announced the first settlement of a case under the Civil Cyber-Fraud Initiative. Established in October 2021, the Initiative aims to utilize the government’s authority under the civil False Claims Act to pursue alleged instances of fraud and misrepresentation concerning cyber practices. (We previously wrote about the Initiative here.) The Initiative has been a point of emphasis in DOJ speeches and public comments in recent months. This settlement is a milestone in the rollout of the program and confirmation that DOJ intends to take allegations of cyber fraud seriously.
Comprehensive Health Services LLC (CHS) is a provider of global medical services that contracted to provide medical support services at Government-run facilities in Iraq and Afghanistan. Under the settlement, CHS agreed to pay $930,000 to resolve the allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan.
CHS submitted claims to the State Department for the cost of a secure electronic medical record (EMR) system to store confidential patient records for service members, diplomats, officials and contractors working and receiving medical care in Iraq. The Government alleged that CHS did not consistently store patient records on the EMR, and failed to disclose this fact to the State Department. Specifically, the Government claimed that some copies of patient medical records were improperly saved to an internal network drive that may have been accessible to non-clinical staff in contravention of contractual requirements and notwithstanding privacy concerns raised by certain CHS staff.
Although this is the first settlement agreement under the Cyber Fraud Initiative, it is worth noting that the initial complaint filed by the relator relating to the cyber issues dates back to well-before DOJ’s announcement of the initiative. The settlement, which also covered non-cybersecurity issues, confirms DOJ’s intent to use its False Claims Act enforcement authority to incentivize qui tam relators to come forward with evidence of cybersecurity failures at government contractors.