For the first settlement as part of the Department of Justice’s Civil Cyber-Fraud Initiative, DOJ settled a case against medical services government contractor Comprehensive Health Services, LLC (CHS) for $930,000.  This settlement resolves allegations brought forth in two qui tam lawsuits, where four whistleblowers filed suit on behalf of the government under the qui tam provision of the False Claims Act.  Three of the whistleblowers received $15,000, in addition to attorneys’ fees, and one relator received $127,050 for reporting fraud.

“This settlement serves notice to federal contractors that they will be held accountable for conduct that puts private medical records and patient safety at risk,” said the United States Attorney for the Eastern District of New York.

CHS, as part of the medical services they provided to the U.S. government, was paid to implement a secure electronic medical record (EMR) system as part of contracts with the State Department and Air Force at various U.S. consulate and military locations in Iraq and Afghanistan.  The EMR system housed personal health information and medical records for anyone who received medical treatment at the locations CHS served, including U.S. service members, diplomats, officials, and contractors.  According to the allegations, CHS did not consistently store patients’ medical records on the secure EMR system and indeed left scans on a network drive which non-clinical staff could access.

As part of several contracts to which CHS was a party, CHS was supposed to provide medical supplies, including controlled substances subject to U.S. Food and Drug Administration (FDA) or European Medicines Agency (EMA) approval.  According to the allegations, CHS “knowingly, recklessly, or with deliberate ignorance” submitted claims for payment for controlled substances that they obtained by means not sanctioned by these contracts.  Not only did CHS lack a Drug Enforcement Agency license to export controlled substances, but CHS also obtained controlled substances by having their U.S.-based subsidiary request that a South African physician prescribe controlled substances, according to the allegations.  The South African physician prescribed these controlled substances, absent FDA or EMA approval, and a shipping company from the same country imported the substances to Iraq.

Government contractors are supposed to adhere to the terms of their contracts in order to receive reimbursement from the U.S. government.  This medical services provider ignored procurement guidelines to obtain controlled substances, undermining safety controls and misrepresenting their adherence to contract terms in providing medical services to U.S. military personnel.  The DOJ’s Civil Cyber-Fraud Initiative brings the power of the False Claims Act to bear on contractors whose job is to protect sensitive information and critical systems.  Representing that data is secure when it is, in fact, not is a violation of the False Claims Act and constitutes cyber-fraud.  As the Special Agent in Charge of the U.S. Department of State OIG, Office of Investigations noted, “…this outcome will send a clear message that cutting corners on State Department contracts has significant consequences.”

Whistleblowers raised data privacy concerns to CHS, but the contractor failed to implement better cybersecurity protocols in response to their concerns.  The Department of Justice has rewarded its first whistleblowers as part of the Civil Cyber-Fraud Initiative, and they’re just getting started.