On February 28, the US Department of Justice (DOJ) agreed to a $930,000 settlement with Comprehensive Health Services (CHS) to resolve False Claims Act allegations. The resolution represents the department’s first settlement under the False Claims Act since setting up its Civil Cyber Fraud Initiative in October 2021.  This is a watershed moment in the Department’s approach to cybersecurity, which highlights its renewed focus and commitment to holding suppliers who do business with the federal government accountable for meeting federal security requirements. cybersecurity.
Civil Cyber Fraud Initiative
In October 2021, the department announced the launch of its Civil Cyber Fraud Initiative, which aims to combine the department’s expertise in civil fraud, public procurement and cybersecurity to combat cyber threats new and emerging for the security of sensitive information and critical systems. The ministry presented this initiative as a direct response to the lack of disclosure and reporting by government contractors when faced with violations. “For too long, companies have chosen silence in the mistaken belief that concealing a breach is less risky than reporting and exposing it,” said Monaco’s deputy attorney general. Specifically, the initiative aims to hold government contractors accountable when they fail to comply with federal government cybersecurity requirements.
The initiative targets companies and individuals who endanger U.S. information or systems by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
The initiative further uses the False Claims Act as a way to prosecute cybersecurity-related fraud by government contractors and grant recipients. Historically, the False Claims Act has functioned as the government’s primary civil tool for redressing false claims of federal funds and property involving government programs and operations. As such, only companies that receive federal assets are subject to scrutiny under the False Claims Act with this initiative.
Regulations outline that contractors must comply with cybersecurity requirements in federal contracts
CHS, a global medical services provider, is committed to providing medical support services at government facilities in Iraq and Afghanistan. Under one such contract, CHS submitted claims to the State Department for the cost of a secure electronic medical record (EMR) system to store all patient medical records, including patient information. identification of US service members, diplomats, government officials and contractors working and receiving medical treatment in Iraq. The United States alleged that the CHS violated the False Claims Act by falsely stating that it had complied with contractual requirements for the provision of medical services at State Department and Army facilities. the air in Iraq and Afghanistan.
Specifically, the United States claimed that between 2012 and 2019, CHS failed to disclose that it failed to consistently store patient medical records on a secure EMR system, as required by its contract. The department explained that “when CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff. Even after staff raised concerns about the confidentiality of protected health information, CHS failed to take adequate steps to store the information exclusively in the EMR system.” Instead, CHS allegedly billed the Department of State nearly $500,000 for the EMR system, but it did not disclose that it also stores medical records on the internal network drive that non-clinical staff would access. they had negotiated and paid for the secure storage of medical records, but that they had not benefited from this bargain given the awareness false claims that medical records were only stored in secure locations.
As Senior Assistant Deputy Attorney General Brian M. Boynton, head of the DOJ Civil Division, put it, “[T]its settlement demonstrates the department’s commitment to using its civil enforcement tools to prosecute government contractors who fail to meet required cybersecurity standards, particularly when they put confidential medical records at risk. »
The civil settlement includes the resolution of two actions brought under the who tam or the whistleblower provisions of the False Claims Act against CHS. Under the who tam provisions of the False Claims Act, a private party can sue on behalf of the United States and receive a portion of the settlement if the government takes over the case and reaches a monetary settlement with the defendant. the who tam cases are subtitled United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (EDNY) and United States ex rel. Watkins et al. against CHS Middle East, LLCCase No. 17-cv-4319 (EDNY).
Take away food
The investigation and subsequent resolution of this case underscores the department’s renewed focus on combating cyber fraud, as well as its willingness to use any legal measure at its disposal. It is clear that the DOJ will target companies that knowingly provide products and services that do not comply with contractual cybersecurity requirements. Therefore, it is critical that companies carefully assess compliance mechanisms and document cybersecurity compliance efforts with specific contractual requirements in mind. As a best practice, companies contracting with the federal government should consider the following best practices:
Understand at the outset that the cybersecurity requirements frequently mandated in FAR 52.204-21 and DFARS 252.204-7012 also incorporate cybersecurity standards established, for example, by the National Institute for Standards and Testing (NIST). The most commonly adopted standards are those of NIST SP 800-171 (addressing a total of 110 distinct cybersecurity functions and features). Additionally, many federal agencies are including additional cybersecurity requirements in their contracts in the form of custom contract clauses developed to meet their unique mission requirements (NASA, VA, DHS, DHHS, DOE, NIS, for n to name a few).
Ensure that cybersecurity and privacy policies are up to date and in accordance with the terms of the contract.
Implement a program to update security policies at a cadence that allows for changes consistent with federal guidelines and contract renewal terms.
Use third parties to test policies and perform gap analyzes to ensure that all necessary security requirements are covered in both written policy and in practice. If you are a DOD contractor, you are most likely subject to the standards listed in NIST SP 800-171, which require, among other things, that you perform a gap analysis and prepare objectives and milestones (POAM). Over time, and with effort and investment, the stated goals and milestones will be achieved and full compliance achieved.
Develop processes to test and validate material representations and certifications made to government regarding tendering, negotiation and execution of awarded contracts. Document these processes and ensure objective evidence supporting these claims and certifications is retained.
Ensure that the company and its employees are informed of reporting obligations regarding changes in cybersecurity risks, cyber incidents, data breaches, and other material items related to federal contracts and grants. While an unintentional failure to comply with the terms of a federal order is not ideal, failure to adequately and appropriately disclose such a failure will be significantly worse for the business.
Take seriously internal reports, complaints and suggestions from employees expressing their observations and concerns regarding the company’s compliance or perceived non-compliance with contractual cybersecurity obligations. 
Be sure to seek legal advice from attorneys with the expertise to identify and manage cybersecurity requirements and appropriately address company compliance gaps.
Troutman Pepper has considerable expertise and knowledge at the intersection of law and technology and constantly monitors this space for developments to advise clients in this rapidly changing landscape. Troutman Pepper attorneys also have the experience and expertise required to provide sophisticated and personalized legal solutions to businesses facing litigation centered on the False Claims Act.
 While this is the first DOJ rule using the FCA under the Civil Cyber Fraud Initiative, it is not the first time the FCA has been used to allege cyber fraud with government contracts. In United States ex rel. Markus vs. Aerojet RocketDyne Holdings, Inc., the DOJ filed a statement of interest opposing Aerojet’s motion for summary judgment, arguing that it had contracted with Aerojet not only to build rocket engines, but also to securely store data authorities on systems that met certain cybersecurity requirements. The Eastern District of California denied Aerojet’s motion for summary judgment. The DOJ did not intervene in who tam stock.
 In the Aerojet In this case, for years, management would have ignored complaints from one or more employees about intentional non-compliance and false certifications.