On June 17, the Department of Justice announced that two government contractors agreed to pay a combined $11.3 Million under the False Claims Act for failing to implement certain safeguards to meet cybersecurity requirements contained in their government contracts.

According to the government’s press release, the two contractors — Guidehouse Inc. and Nan McKay — entered into a contract with the federal government in 2021 to administer New York’s Emergency Rental Assistance Program (ERAP), which was established by Congress in early 2021 to assist eligible low-income households to cover the cost of rent and other housing-related expenses during the COVID-19 pandemic.

The contract at issue required the contractors to ensure that the ERAP system (which was used to submit online applications for ERAP assistance) underwent cybersecurity testing before it was launched.  As part of the recent settlement, the contractors admitted that they did not complete this required pre-production cybersecurity testing.

Twelve hours after the ERAP website went live in June 2021, it was abruptly shut down after it was determined that certain applicants’ personally identifiable information (PII) had been compromised and portions were available online.  According to the DOJ, had the contractors performed the required pre-production cybersecurity testing as they were required to do, the security breach may have been prevented.

In announcing the settlement, Brain Boynton, the Principal Deputy Assistant Attorney General of the DOJ’s Civil Division, stated:  “Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments.  The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

This is not the first time that the DOJ has pursued punishment for cybersecurity lapses under the powerful FCA. In October 2021, Deputy Attorney General Lisa Monaco announced the DOJ’s “Civil Cyber-Fraud Initiative.”  The DOJ stated that the Initiative would utilize the FCA to pursue cybersecurity related fraud by government contractors and grant recipients.

Since announcing the Initiative, there have been several significant FCA settlements related to government contractors’ failure to implement appropriate cybersecurity safeguards.  For example, in March 2023, the DOJ announced that Jelly Bean Communications Design agreed to pay nearly $300,000 for failing to live up to its cybersecurity responsibilities.  Specifically, Jelly Bean contracted with Florida’s Medicaid program to provide website design, programming, and data hosting services.  The agreement between Florida and Jelly Bean required Jelly Bean to provide a “fully functional hosting environment” that complied with HIPAA.  According to the DOJ, contrary to its representations in agreements and invoices, Jelly Bean did not protect applicants’ personal information and instead knowingly failed to properly maintain, patch, and update its software systems, leaving PHI vulnerable to attack.

These cases highlight some important take-aways.  First, the government’s cybersecurity requirements are not limited to healthcare providers.  While healthcare providers have been subject to HIPAA and related laws and regulations for decades, it is clear that all businesses that do business with the government must comply with stated cybersecurity requirements, regardless of industry.  Second, these cases demonstrate that even a simple failure to run a security update or test could result in significant penalties under the FCA, which not only allows the DOJ to pursue treble (3x) damages, but also per-claim penalties, which currently range from a minimum of nearly $14,000 to a maximum of nearly $28,000.

Accordingly, it is crucial for anyone doing business with the government, regardless of industry, to ensure that they are following any stated cybersecurity guidelines and regulations to a tee, and to make sure that those efforts are properly documented in the event that the government demands proof of compliance.

The attorneys at Chilivis Grubman represent businesses of all types and sizes — particularly those within the healthcare industry — in connection with False Claims Act investigations and litigation as well as cybersecurity/HIPAA matters.  If you need assistance with such a matter, please contact us today.