More than two years later, DOJ has continued its pursuit of civil enforcement against contractors and grantees that fail to satisfy their cybersecurity obligations. The allegations leveled by DOJ against these companies include knowingly (1) providing deficient cybersecurity products or services, (2) misrepresenting their cybersecurity practices or protocols, or (3) violating obligations to monitor and report cybersecurity incidents and breaches. DOJ has brought at least four enforcement actions – including two in 2023 – that have led to settlements as part of its Civil Cyber-Fraud Initiative.[2]
At the same time, there has also been an even greater uptick in whistleblowers seeking to hold contractors and grantees accountable under the FCA for alleged failures to comply with their cybersecurity obligations under federal contracts. The increase in both public and private enforcement of the FCA relating to cybersecurity – in combination with the growing number of federal agencies implementing their own unique cybersecurity requirements for federal contracts – means that federal contractors and grantees will need to implement robust compliance initiatives in this area.
Recent settlements and actions
DOJ’s first settlement of 2023 resolved allegations that a design firm, Jelly Bean Communications Design, and its manager failed to secure personal information on a federally funded children’s health insurance website.[3] Jelly Bean had contracted with a Florida state entity funded through Medicaid to create, host, and maintain a website that was required to apply protections for personal information imposed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. DOJ alleged that, from 2014 to 2020, contrary to its contractual representations and invoices, Jelly Bean did not provide secure hosting of personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying its websites. By December 2020, more than 500,000 applications submitted on the website were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. In light of the cyber failures and risk to sensitive data, DOJ pursued remedies under the FCA, eventually leading to a settlement for US$293,771 in March of 2023.
The second settlement of 2023 resolved allegations that a communications contractor failed to completely satisfy certain contractually required cybersecurity controls in connection with an information technology service provided to federal agencies between 2017 and 2021.[4] After learning of the issues, the firm initiated an independent investigation and compliance review, and under voluntary self-disclosure protocols, provided the government with multiple, detailed supplemental written disclosures. Factoring in the contractor’s voluntary disclosure, investigation, and remediation, the government determined that the contractor was entitled to credit for cooperating and settled the case for over US$4 million.
Last year also saw the unsealing of qui tam actions relating to allegations of non-compliance with cybersecurity obligations at academic institutions with government contracts for research, demonstrating that contractors and grantees can become easy targets for whistleblowers. Federal contractors and grantees should be mindful of the incentives for whistleblowers to come forward, especially those privy to a company’s cybersecurity obligations and practices.
Avenues for enforcement against government contractors and grantees
As demonstrated by the most recent settlements, government contractors and grantees are subject to increased scrutiny of their compliance with cybersecurity requirements, as well as enforcement actions based on alleged failures to meet those obligations. These settlements further underscore concerns that what may have been viewed as breach of contract actions in the past have now shifted into the FCA realm because of the cybersecurity certifications required in government contracts.
Government contractors and grantees may already find themselves subject to cybersecurity requirements requiring substantial investments in data security infrastructure that meets specific standards, including the Federal Acquisition Regulation’s (FAR) basic safeguarding clause at 52.204-21 and the Department of Defense’s (DoD) safeguarding and cyber incident reporting requirements in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Other agencies have recently implemented their own unique cybersecurity requirements for contractors. The Department of Homeland Security (DHS), for instance, implemented a new Homeland Security Acquisition Regulation (HSAR) clause 3052.204-72, Safeguarding of Controlled Unclassified Information (Jul 2023), which requires contractors and subcontractors to provide adequate security to protect Controlled Unclassified Information (CUI) from unauthorized access and disclosure and to report all known or suspected incidents within one hour if the incident involves personally identifiable information (PII) and eight hours for all other incidents.[5]
The Department of Veterans Affairs (VA) implemented a new clause, VA Acquisition Regulation (VAAR) 852.204-71, Information and Information Systems Security (Feb 2023), requiring contractors and others with access to VA information, information systems, or information technology (IT), or providing and accessing IT-related goods and services, to adhere to VA Directive 6500, VA Cybersecurity Program, as well as those set forth in the contract specifications, statement of work, or performance work statement.[6] Like the DHS clause, the VA clause also imposes a one-hour notification requirement, in this case for an incident that (i) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or the availability of its data and operations, or of its information or information system(s); or (ii) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. As agencies continue to implement either overlapping or conflicting cybersecurity requirements, the compliance burdens increase and the risk of running afoul of such requirements can also increase, making these areas ripe for scrutiny by the Federal government and whistleblowers.
In October 2023, two amendments to the FAR were proposed[7] in order to implement portions of President Biden’s May 2021 Executive Order (EO) No. 14,028, Improving the Nation’s Cybersecurity.[8] The first rule would standardize cybersecurity contractual requirements across Federal agencies for unclassified Federal information systems (FIS). Recognizing the importance of securing FIS – whether cloud based, on-premises, or a hybrid of the two – the proposed rule sets out in great detail cybersecurity policies, procedures, and requirements applicable to contractors that develop, implement, operate, or maintain a FIS.[9] The second rule would require government contractors across all Federal agencies to share information about cyber threats, report cyber incidents, and make representations that they have submitted all security incident reports in a current, accurate, and complete manner.[10] Consistent with the government’s focus on scrutinizing cybersecurity noncompliance in terms of fraud, both rules state that compliance with the cybersecurity requirements “is material to eligibility and payment under Government contracts.”[11] This broad statement appears to capture the government’s position that every aspect of the proposed rules is “material” for FCA purposes, despite the Supreme Court’s decision in Universal Health Services, Inc. v. ex rel. Escobar, 579 U.S. 176, 191 (2016), confirming that the FCA is not a “vehicle for punishing garden-variety breaches of contract or regulatory violations.”[12]
Lastly, DoD released its proposed rule in December of 2023 for updating the Cybersecurity Maturity Model Certification (CMMC) program.[13] As confirmed by the rule, DoD anticipates the use of self-attestation, third-party certification, and government-led assessments for cybersecurity compliance. When the certification process begins or is renewed, it is possible that third-party certifiers or DoD may uncover inconsistencies between their assessment and a contractor’s own assessment of its security controls. Should the validity of a contractor’s own assessment later be questioned, it could leave the contractor vulnerable to a whistleblower claim that alleged false or reckless representations made in the self-assessment caused false claims to be made.
Liability for health care-related breaches
Recent DOJ enforcement actions also put health care institutions that participate in federal health care programs in the crosshairs. Health care institutions are subject to additional scrutiny because of their unique compliance requirements and may face enforcement actions based on alleged failures to meet those obligations. HIPAA is one important potential source of FCA liability for health care institutions.[14] The HIPAA Security Rule requires health care providers to safeguard against anticipated threats to the security of the protected health information they maintain, including by conducting risk assessments to determine threats and implementing security measures to protect against those threats.[15] The Breach Notification Rule imposes additional notification requirements in the event of a breach of covered entities and their business associates.[16] Threat actors have targeted health information with increasing sophistication as health information has become a valuable commodity.[17]
Two recent FCA settlements involving alleged violations of cybersecurity-related HIPAA obligations demonstrate the importance for industry professionals of understanding and proactively addressing these obligations. First, the Jelly Bean settlement, discussed above, shows the dangers of HIPAA non-compliance specifically when dealing with federal or state funds. Second, DOJ’s March 2022 settlement with Comprehensive Health Services LLC (CHS) – the first settlement under the Civil Cyber-Fraud Initiative – shows that HIPAA-related false claims may be a point of emphasis under the initiative. That case involved allegations that although the government paid for a secure electronic medical record system to store patients' medical records, CHS instead stored certain personally identifiable information on an internal network drive that was accessible to nonclinical staff – in violation of its HIPAA obligations. CHS settled the case for US$930,000.[18] The head of DOJ’s Civil Division, Principal Deputy Assistant Attorney General Brian M. Boynton, noted that “[t]his settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk.”[19]
Looking ahead
The recent DOJ settlements and ongoing qui tam actions confirm that the number of enforcement actions will continue to increase. Contractors and grantees should brace for additional scrutiny and potential whistleblower claims in this area and carefully track fast-evolving cybersecurity rules and regulations, prioritizing related compliance efforts.
References
[1] See Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, U.S. Dep’t of Justice (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
[2] The prior year, DOJ settled FCA allegations against a medical services contractor for $930,000 and touted an aerospace and defense contractor’s FCA settlement for $9 million. See https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical; https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity.
[3] See https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability.
[4] See https://www.justice.gov/opa/pr/cooperating-federal-contractor-resolves-liability-alleged-false-claims-caused-failure-fully.
[5] 88 Fed. Reg. 40,560 (June 21, 2023).
[6] 88 Fed. Reg. 4,739 (Jan. 25, 2023).
[7] 88 Fed. Reg. 68,055 (Oct. 3, 2023); 88 Fed. Reg. 68,402 (Oct. 3, 2023).
[8] See the Executive Order previously discussed here.
[9] See proposed FAR clauses FAR 52.239-XX and 52.239-YY.
[10] See proposed FAR clauses FAR 52.239-ZZ and 52.239-AA.
[11] 88 Fed. Reg. at 68,403; 88 Fed. Reg. at 68,055.
[12] Id. at 194.
[13] 88 Fed. Reg. 89058 (Dec. 26, 2023).
[14] Healthcare institutions may be held liable under the FCA for claims made while noncompliant with HIPAA under what is known as “implied certification” liability. This arises when the institution represents, potentially even implicitly, that it is compliant with HIPAA and its failure to disclose noncompliance was misleading. In Universal Health Servs., Inc. v. United States, 579 U.S. 176, 190 (2016), the Supreme Court unanimously held that the “implied certification theory can be a basis for liability, at least where two conditions are satisfied: first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant's failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.”
[15] 45 C.F.R. §§ 164.302 - 164.318; see also https://www.hhs.gov/hipaa/forprofessionals/security/laws-regulations/index.html.
[16] 45 C.F.R. §§ 164.400 - 164.414.
[17] See https://www.hhs.gov/sites/default/files/types-threat-actors-threaten-healthcare.pdf.
[18] See https://www.justice.gov/opa/press-release/file/1480816/download.
[19] See https://www.justice.gov/opa/pr/jelly-bean-communications-design-and-its-manager-settle-false-claims-act-liability