EnforceMintz — Healing Healthcare? DOJ’s Cybersecurity Enforcement Trained Up for 2025

In 2024, the Department of Justice (DOJ) pursued significant enforcement activity under its Civil Cyber-Fraud Initiative (CCFI). As our readers know, the Deputy Attorney General announced the creation of the CCFI in October 2021. The DOJ Civil Division’s Fraud section leads this initiative and uses the False Claims Act (FCA) as a primary enforcement tool in pursuing cybersecurity-related fraud, including by government contractors and grant recipients. Our health care and cybersecurity enforcement teams have been closely following CCFI actions since the initiative’s inception and reported on them in our 2022, 2023, and 2024 EnforceMintz publications.

Generally speaking, CCFI enforcement activity to date has not directly focused on health care providers or companies. Where these enforcement activities have involved the health care industry, it typically has been with respect to service providers that support health care companies or agencies and have failed to safeguard protected health information (PHI) and/or personally identifiable information (PII).

When we reported on the CCFI last year, we observed that 2023 enforcement activity in this space focused on entities that provided a wide range of services (e.g., website hosting, security connectivity, and applied research) and that the bases for alleged violations were similarly broad (e.g., purported violations of contracts, agency-issued requirements, and regulations). CCFI enforcement in 2024 looked somewhat similar. DOJ pursued violations of cybersecurity-related contractual provisions by entities providing technology-related services to state and federal agencies, including the Pennsylvania Department of Health (PADOH) and the Centers for Medicare & Medicaid Services (CMS).  The agency also initiated its first major cyber-fraud FCA litigation against a government contractor.

DOJ’s CCFI-Related FCA Settlements in 2024 Continued to Focus on Service Providers, Including Entities Providing Health Care-Related Services

Insight Global

In May 2024, DOJ entered into a $2.7 million settlement with Insight Global LLC, a staffing and professional services company that offers services in health care and other industries.  PADOH hired Insight Global to provide staffing for COVID-19 contact tracing and paid Insight Global for those services using funds from the US Centers for Disease Control and Prevention (CDC).

The settlement with DOJ resolved allegations that the company failed to implement sufficient cybersecurity measures to protect PHI collected as part of COVID-19 contact tracing. More specifically, DOJ alleged that in the contract between Insight Global and PADOH, the company represented that it understood that the PHI of individuals subject to contact tracing must be kept confidential and secure but failed to meet this responsibility.  Examples of Insight Global’s alleged failures included sending PHI and PII by unencrypted email and storing this information in locations that were not password-protected and potentially accessible to the public.  Insight Global also received complaints from employees about its practices between November 2020 and January 2021, but failed to begin remediation until April 2021, three months before a whistleblower filed a qui tam complaint against the company.

Although the settlement agreement describes the remedial steps taken by the company and notes that Insight Global cooperated with the government’s investigation, the company apparently did not receive cooperation credit. The agreement characterizes $1.35 million of the $2.7 million settlement amount as restitution, meaning that the government applied a 2x multiplier, which is the multiplier commonly applied in FCA settlements. Had the multiplier been less, we might have concluded that the company received some credit for its efforts.

Guidehouse and Nan McKay

In June 2024, DOJ announced that it had entered into settlement agreements with Guidehouse Inc. and its subcontractor Nan McKay and Associates to resolve allegations that they violated the FCA by breaching cybersecurity requirements in federally funded state contracts involving management of a COVID-19 emergency rental relief program for the State of New York.

Both the government’s press release and the terms of these settlement agreements indicate that the government found the companies’ conduct to be particularly egregious. Guidehouse agreed to pay $7.6 million, and Nan McKay and Associates agreed to pay $3.7 million. Guidehouse’s settlement agreement does not indicate the components of the settlement amount. Also notable is the fact that both companies were required to make admissions in their respective settlements. They “admit[ted], acknowledge[d], and accept[ed] responsibility” for the covered conduct, which was described in great detail in the settlement agreement. The government alleged that the companies failed to satisfy their contractual obligation to complete pre-production cybersecurity testing of the application system and that 12 hours after the system went live, it had to be shut down because individuals’ PII was immediately compromised and made available on certain public search engines.

ASRC Federal Data Solutions LLC

In October 2024, DOJ settled an FCA investigation with ASRC Federal Data Solutions LLC (AFDS) to resolve allegations that AFDS violated the FCA by breaching the cybersecurity requirements of its contract with CMS to provide Medicare support services, and then knowingly billing CMS under that contract.

According to DOJ, AFDS and one of its subcontractors stored screenshots from CMS systems containing PII and PHI of Medicare beneficiaries without encrypting the files in a manner that would protect them in the event of a breach. A threat actor later breached the subcontractor’s server and accessed the unencrypted screenshots. AFDS agreed to pay $306,722 to resolve these allegations. The settlement agreement characterizes the entirety of this amount as restitution. The settlement agreement also states that AFDS received cooperation credit in the settlement and detailed the basis for this credit, including that AFDS notified CMS of the breach within one hour of being notified by its subcontractor and immediately stopped taking and storing screenshots and storing other PHI. AFDS also worked with CMS to notify impacted Medicare beneficiaries and provide free credit monitoring and identity theft protection services and cooperated in DOJ’s investigation.

DOJ’s First CCFI Litigation Has Similarities to Previous Enforcement Actions

All eyes are on the first major cyber-related FCA case that DOJ is litigating since launching the CCFI. While this litigation does not have direct ties to health care, it does illuminate some continuing trends in CCFI enforcement and important reminders about cybersecurity compliance.

In August 2024, DOJ filed a complaint against the Board of Regents of the University System of Georgia d/b/a Georgia Tech alleging that the school violated cybersecurity requirements in its federal Department of Defense (DOD) contracts, as well as broadly applicable cybersecurity requirements imposed by Federal Acquisition Regulation 52.204-21 (which incorporates the security requirements of the National Institute of Standards and Technology (NIST)). This litigation follows a qui tam lawsuit filed by two former senior members of the defendant’s cybersecurity compliance team.

The allegations are similar to those previously levied against Penn State University (which we covered in last year’s publication).  According to DOJ, Georgia Tech submitted false cybersecurity assessment scores and created a culture of cybersecurity noncompliance, did not install, update, or run antivirus or antimalware software, and neither developed nor implemented a system security plan. DOJ seeks single damages of approximately $30 million, which are of course potentially subject to trebling under the FCA.

Looking to 2025, the Health Care Sector Should Focus on Compliance with Cybersecurity Obligations

CCFI enforcement activity in 2024 certainly underscores that DOJ continues to consider cybersecurity-related misconduct to be an important enforcement area, especially where noncompliance leads to breaches involving PHI and/or PII. Going into 2025, we expect this enforcement area will likely remain a DOJ priority, but we are not yet seeing any clear indication that health care providers are next on the list of targets. Even so, the health care industry should not let down its guard. As always, the CCFI is but one of many reasons why compliance with applicable cybersecurity requirements (whether contractual, regulatory, or otherwise) when interacting with the federal government should be high on compliance checklists.

Subscribe To Viewpoints