Chilivis Grubman attorneys warned that the U.S. Department of Justice’s Civil Cyber-Fraud Initiative would use the False Claims Act (FCA) to pursue cybersecurity-related fraud.
The FCA prohibits any person from knowingly presenting, or causing to be presented, a false or fraudulent claim for payment to the federal government. The FCA also prohibits any person from knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim. Using the FCA, the Cyber-Fraud Initiative aims to hold accountable individuals, government contractors, entities, and grant recipients who receive federal funds and put “U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
In March 2022, the DOJ announced its first settlement under the Civil Cyber-Fraud Initiative. The March 2022 press release noted that Comprehensive Health Services LLC (“CHS”) agreed to pay $930,000 to resolve allegations it violated the FCA. Four months after announcing its first settlement, the DOJ announced its second settlement, which Chilivis Grubman has discussed. The second settlement involved Aerojet Rocketdyne, Inc. (“Aerojet”), an aerospace and defense company, which agreed to pay $9 million to resolve allegations it misrepresented its compliance with cybersecurity requirements in violation of the FCA.
Most recently, on March 14, 2023, the DOJ announced that another tech company, Jelly Bean Communications Design, LLC (“Jelly Bean”), and its manager agreed to settle allegations it violated the FCA because of cybersecurity failures. Jelly Bean, a Florida-based company, provides web hosting functions and services. One of its clients, Florida Healthy Kids Corporation (FHKC), provides state health insurance programs for children in Florida. Jelly Bean’s agreement with FHKC required Jelly Bean to provide technical services (e.g., creation, hosting, and maintenance of the HealthyKids.org website) that met HIPAA requirements. Between 2013 and 2020, Jelly Bean submitted invoices to FHKC for the tech services it rendered, which included a line item for “HIPAA-compliant hosting,” according to the settlement agreement. The federal government paid a majority portion of the payments from FHKC to Jelly Bean.
The DOJ alleged that despite Jelly Bean’s agreement, invoices, and technological representations, Jelly Bean “did not provide secure hosting of applicants’ personal information and instead failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack.” Jelly Bean’s website was operating with outdated and vulnerable applications, some of which had not been patched for at least five years. These vulnerabilities did not comply with cybersecurity standards and were exploited by a hacker who hacked 500,000 medical applications submitted to FHKC. Jelly Bean and its owner agreed to pay $293,771 to resolve allegations that they did not secure personal information on a federally funded Florida children’s health insurance website, despite its representations and contractual requirements, in violation of the FCA.
With the growing trend of cyber-incidents and breaches, FCA investigations of technology providers is here to stay. All companies doing business with the government should heed the government’s warnings. As Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, noted: “[the DOJ] will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” Tech companies should be familiar with their contractual obligations and any representations made by their employees. Deviating from these obligations may result in a false claim (or reverse false claim). The agreed to requirements and updated requirements must be top of mind, even several years after the execution of the contract.
The attorneys at Chilivis Grubman represent clients of all types and sizes in connection to False Claims Act litigation, government investigations, and cybersecurity fraud investigations. If you need assistance with such a matter, please contact us today.