/>iThe inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation relating to its cybersecurity practices. That day is long past. Two recent FCA settlements illustrate the expansion: one is the first cybersecurity FCA settlement relating to healthcare Quality System Regulations (“QSR”) and the other involves the first settlement with a defense contractor that also pulls in its private equity owner.
A Brief History of FCA Cybersecurity Enforcement
Four years ago, the Department of Justice (“DOJ”) announced a Civil Cyber-Fraud Initiative that would, among other things, utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. As one of our co-authors wrote at the time, we expected the Initiative to “create additional pressure for companies to devote substantial resources to cybersecurity compliance” (details here) and result in a considerable increase in FCA cases. Soon thereafter, DOJ entered into a settlement relating to a telecommunications company’s alleged failure to “satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies” (details here) followed by a pair of cases involving universities (details here and here).
While these (and other) FCA cases were being investigated, litigated and settled, government agencies continued to roll out new cybersecurity regulations and guidance. For example, the Department of Defense issued new regulations relating to cybersecurity (details here), DOJ rolled out a new Data Security Program (details here), and the U.S. Department of Health and Human Services (“HHS”) proposed amendments to HIPAA’s security rule (details here). States were also active; for example, New York now has cybersecurity requirements for hospitals (details here). And even the White House has issued an Executive Order relating to cybersecurity (details here).
Against this active regulatory and enforcement backdrop, two recently announced settlements illustrate the continued expansion of the FCA into a wide variety of cybersecurity matters.
$1.75m FCA Settlement with Defense Contractor and Private Equity Firm
DOJ recently announced an FCA settlement with a defense contractor and a private equity company. Specifically, the settlement of $1.75m resolves liability for (1) failure to implement National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 cybersecurity controls as required by Department of Defense (“DoD”) acquisition regulations (DFARS 252.204-7012) from January 2018 to February 2020 and (2) failure to control flow of and access to Controlled Unclassified Information (“CUI”) from June 2019 to July 2019. The cybersecurity requirements stem from the defense contractor’s contract with the Department of the Air Force.
The settlement acknowledged that both the contractor and its private equity investor “took significant steps entitling them to credit for cooperating with the government.” Specifically, the contractor submitted two written disclosures regarding the cybersecurity non-compliance and both entities cooperated with the Government’s investigation. The settlement credited them pursuant to the DOJ’s Justice Manual § 4-4.112 for the disclosure, cooperation, and remediation actions.
Notably, this settlement included the private equity firm as well as the portfolio company (the defense contractor). Over the last several years, in addition to an increased focus on cybersecurity, DOJ has also increased its focus on applying the FCA to private equity firms (details here and here). This settlement is the inevitable merging of these two trends.
$9.8m FCA Settlement with A Medical Device Company
DOJ also recently announced a $9.8 million FCA settlement with a biotechnology company in the genetic testing industry. The settlement resolved allegations that the company violated the FCA by selling genomic sequencing systems to the federal government that contained cybersecurity vulnerabilities from February 2016 to September 2023. In the settlement agreement, the company denied the allegations and did not admit liability. The whistleblower received a $1.9m share of the settlement.
The government alleged that the products, which have the ability to access and manipulate HIPAA-protected patient genomic data, contained cybersecurity vulnerabilities and the company lacked an adequate security program to identify such vulnerabilities. The allegations stem from the U.S. Food and Drug Administration regulations for medical devices – its QSR. Oddly, DOJ does not explicitly cite the QSR as the basis for the alleged falsity of the claims, but appears to imply that a QSR failure in-and-of-itself results in FCA liability if it causes cybersecurity deficiencies (even without a breach) that therefore results in false representations to a government agency regarding cybersecurity compliance. This appears to be the first FCA case involving the QSR and the first cybersecurity case involving a medical device company.
When All You Have Is A Hammer, Everything Looks Like A Nail
It is no secret that DOJ loves the FCA. Among other things, the potential of treble damages and per claim penalties (that can now exceed $28,000 per claim) provides for potentially devastating monetary consequences. This in turn provides DOJ significant leverage in FCA cases—leverage it lacks with other civil enforcement tools. Thus, it is not surprising that FCA claims and settlement values continue to rise. In fiscal year 2024, FCA settlements and judgments overall exceeded $2.9 billion with 558 settlements and judgements.
Since the inception of DOJ’s Civil Cyber-Fraud Initiative in October 2021, the DOJ has continued to pursue cybersecurity fraud allegations under the FCA and these settlements evidence the broadening of cybersecurity FCA cases to medical device companies as well as private equity firms. As Brett Shumate, Assistant Attorney General of the Department’s Civil Division, stated in the settlement press release: “[c]ompanies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks.” We expect that scrutiny will be greater for entities that handle private and sensitive information, such as medical records, genomic data, or CUI.
Moreover, while healthcare has historically been an enforcement priority of the Department and its collaboration with HHS is longstanding, just last month, DOJ upped the ante by announcing the reformation of the DOJ-HHS False Claims Act Working Group, which will prioritize investigations into multiple areas, including “materially defective medical devices.” Just as DOJ’s Civil Cyber-Fraud Initiative has resulted in an increase in cybersecurity FCA cases, we expect that the reformation of the Working Group will result in additional healthcare and medical device FCA cases. Additionally, it is certain these efforts will overlap and there will be an increase in healthcare cybersecurity cases.
Cybersecurity Considerations Going Forward
Medical device companies, government contractors, and all healthcare entities subject to cybersecurity regulations should continue to prioritize a robust cybersecurity compliance program, with an emphasis on proactive remediation of any known cybersecurity lapses, self-disclosure, and Government cooperation. Organizations should consider regular review of cybersecurity practices and systems, especially where sensitive health and/or national security information is involved as well as ensuring the continued accuracy of all representations to government agencies and customers concerning cybersecurity.
