EXECUTIVE SUMMARY

The U.S. Department of Justice (DOJ) is pursuing an initiative aimed at uncovering and punishing government contractors with insufficient cybersecurity or who fail to report breaches. The agency is wielding the False Claims Act as a primary tool.

  • DOJ is encouraging cybersecurity whistleblowers.
  • Vendors often claim to have better cybersecurity than they do.
  • The initiative may be challenged in court.

A new Department of Justice (DOJ) initiative intended to hold government contractors accountable when they fail to meet required cybersecurity standards could lead to increased risk from the False Claims Act (FCA) for healthcare entities.

In announcing the Civil Cyber-Fraud Initiative, Deputy Attorney General Lisa Monaco stated the DOJ “will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.”

The Civil Cyber-Fraud Initiative is intended to address government contractors and others who receive federal funds when their cybersecurity practices or protocols fall short of government requirements. The DOJ is pursuing companies and individuals who knowingly misrepresent their cybersecurity practices and who fail to properly report cybersecurity breaches, says Paul F. Schmeltzer, JD, an attorney with Clark Hill in Los Angeles.

“Healthcare organizations maintain protected healthcare information in a lot of ways, but mostly that information is held through third-party vendors. This initiative has the potential to impact not only the healthcare organization but also the third-party vendors that maintain this data for them,” Schmeltzer says. “If the healthcare entity is receiving federal funds through Medicare or Medicaid and there is a cybersecurity incident, they could be implicated by the fraud initiative if they do not maintain a robust vendor management program.”

Some Vendors Lie About Security

It is not unusual for third-party vendors to claim on paper they have certain cybersecurity measures in place when in reality they do not regularly implement and update them. “That is where the biggest concern should be for a healthcare organization. If you have a third-party vendor, whether that is your electronic health record [EHR] vendor or a pharmacy management vendor, and they are not securely maintaining PHI when a security incident like ransomware occurs, the healthcare organization could be implemented under this fraud initiative,” Schmeltzer says.

Schmeltzer advises conducting a vendor management review at least annually and preferably every six months, “just to keep them honest.” That involves reviewing security measures and asking the vendor to attest in writing as to what security measures they have in place, then determining if these claimed security measures meet the government’s criteria.

If the healthcare entity is found liable under the initiative, the potential losses are the same as for any liability exposure under the FCA — easily hundreds of thousands of dollars, Schmeltzer says.

Using FCA as Big Stick

The DOJ is making clear it is implementing the FCA — and particularly the whistleblower provision — in its fight against cyber threats, forcing healthcare organizations to use the necessary safeguards and ensure they only work with vendors who do the same, says Kathleen McDermott, JD, partner with Morgan Lewis in Washington, DC. She previously served as an assistant U.S. attorney and DOJ healthcare fraud coordinator.

McDermott calls the initiative a “prominent, high-profile, aggressive” move by DOJ. The initiative is well staffed, and she expects to see some immediate action against offenders.

“There is a host of terms and definitions that will be introduced into contracts going forward. For a government contractor, this is a very big deal in terms of compliance,” she says. “The fact they’re emphasizing whistleblowers is a bit different institutionally for DOJ, but they are asking whistleblowers to come forward because it is such an area of technical complexity and sophistication that they’re not going to understand the noncompliance and vulnerability unless experts come forward to help.”

In some ways, the healthcare industry is far ahead of other government contractors in complying with cybersecurity standards because it has been governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act for so many years, McDermott says. Nevertheless, the DOJ initiative creates added pressure on healthcare entities.

McDermott advises healthcare organizations to presume the DOJ initiative is the starting bell for improving cybersecurity practices. “This does affect healthcare, even if you are subject to the Federal Acquisition Regulation [FAR] because one of your contractors may be. If anything about your cybersecurity is questionable, now is the time to upgrade,” she says. “Using the False Claims Act and the Whistleblower Act creates a heightened exposure, so you’re going to see an uptick in cyber reporting and an uptick in subpoenas related to this.”

The DOJ’s announcement was made in the context of a broad and overdue federal effort to improve the government’s cybersecurity, says David Hall, JD, partner with Wiggin and Dana in Philadelphia. Previously, Hall served for more than 20 years as a federal prosecutor with the DOJ.

The FCA has been used before in the cybersecurity context, and such FCA actions commonly originate in whistleblower complaints. “While itself not a new source of FCA liability, the DOJ announcement is an important statement of DOJ priorities with important risk implications,” Hall says. “The DOJ statement is a sign that cybersecurity enforcement using the FCA is a priority for DOJ. More whistleblower complaints are likely after DOJ’s announcement.”

U.S. attorneys will be more likely to intervene in qui tam actions. “This means that compliance risk increases because the chances of becoming involved in an enforcement action increases,” he says. “DOJ is, in effect, reminding government contractors of the importance of an effective and proactive compliance program.”

Government contractors should ensure their certifications and disclosures to the government are accurate, Hall says. It also is important that disclosures to the government are complete and do not omit material information.

The federal government is focused on combating new and emerging cyber threats, says Michael J. Waters, JD, partner with Polsinelli in Chicago. This initiative demonstrates a recognition by the government that it cannot combat these threats alone and needs the cooperation of the public sector, including government contractors.

“If the government feels that it is not getting sufficient cooperation, it may utilize the False Claims Act to effectuate change. That poses a risk for government contractors, who must ensure that they are taking sufficient steps to protect data, be forthright in their claims regarding the state of their cybersecurity, and comply with security incident notification obligations,” he says. “Risk managers should take multiple steps in response to the initiative, including ensuring that their organizations have implemented the Cybersecurity Maturity Model Certification framework and other required cybersecurity protections, review the accuracy of security-related representations and warranties in public-facing documents and government contracts, and make sure they understand their notification requirements so they are prepared to comply with those requirements in the event of a data incident.”

The initiative is likely to face challenges in the courts, says Michael F. Dearington, JD, associate with Arent Fox in Washington, DC. He notes the Supreme Court explained in Universal Health Services, Inc. v. United States ex rel. Escobar, the FCA is not “a vehicle for punishing garden-variety breaches of contract or regulatory violations.”

Government contractors faced with FCA suits could contend the government and whistleblowers cannot use the FCA to punish what arguably amount to regulatory violations, Dearington explains. Whether such suits are viable likely will depend on whether compliance with cybersecurity requirements is material to the government’s payment decision.

The initiative already is being tested in the courts, Dearington says. In United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., a former cybersecurity employee at aerospace contractor Aerojet RocketDyne Inc. (AR) accused AR and its holding company of fraudulently obtaining billions of dollars of NASA contracts and subcontracts while failing to maintain mandatory FAR and Defense Federal Acquisition Regulation Supplement cybersecurity requirements, in violation of the FCA.

The district court denied AR’s motion to dismiss for lack of materiality in 2019, and the parties recently filed cross-motions for summary judgment. The DOJ filed a Statement of Interest on challenging AR’s argument that noncompliance with cybersecurity requirements is immaterial, Dearington notes.

The district court’s ultimate decision could provide an indication of how courts will react to cases brought under the initiative, and whether a defendant can commit fraud by obtaining contract payments while failing to maintain adequate cybersecurity standards, he says.  

SOURCES

  • Michael F. Dearington, JD, Associate, Arent Fox, Washington, DC. Phone: (202) 715-8495. Email: michael.dearington@arentfox.com.
  • David Hall, JD, Partner, Wiggin and Dana, Philadelphia. Phone: (215) 988-8325. Email: dhall@wiggin.com.
  • Kathleen McDermott, JD, Partner, Morgan Lewis, Washington, DC. Phone: (202) 739-5458.
  • Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Phone: (213) 417-5163. Email: pschmeltzer@clarkhill.com.
  • Michael J. Waters, JD, Partner, Polsinelli, Chicago. Phone: (312) 463-6212. Email: mwaters@polsinelli.com.