Department of Justice Settles First False Claims Act Case Under its Civil Cyber-Fraud Initiative

On March 8, 2022, the Department of Justice (“DOJ”) announced that Comprehensive Health Services LLC (“CHS”) agreed to pay $930,000 to resolve allegations that it violated the False Claims Act (“FCA”). DOJ alleges that CHS falsely represented to the State Department and Air Force that it complied with contract requirements relating to the secure storage of medical records under its contracts to provide medical services at government facilities overseas. CHS did not admit to liability in the settlement agreement.

CHS is a provider of medical solutions, including global medical services, that contracted with the State Department and Air Force to provide medical support services at government facilities in Iraq and Afghanistan. The FCA allegations stem from CHS’s purported failure to properly and securely store medical records containing “identifying information” and false representations regarding controlled substances provided under those government contracts. CHS submitted claims for the cost of a secure electronic medical record (“EMR”) system to store medical records, including the confidential identifying information of service members, officials, and contractors receiving medical care in Iraq. DOJ alleges that, between 2012 and 2019, CHS failed to disclose that staff would scan records into the EMR system and leave records on an internal network drive that was not secure and was accessible to non-clinical staff. CHS also failed to take adequate steps to store the information after staff raised concerns about the privacy of the identifying information.

DOJ also alleges that, between 2012 and 2019, CHS did not have the necessary Drug Enforcement Agency license to export controlled substances to Iraq, and falsely represented that unapproved substances provided under the contracts were approved by the Food and Drug Administration or European Medicines Agency.

The settlement resolves two cases brought under the whistleblower provisions of the FCA: United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (E.D.N.Y.), and United States ex rel. Watkins et al. v. CHS Middle East, LLC, Case No. 17-cv-4319 (E.D.N.Y.). Under the terms of the settlement agreement, CHS will also pay more than $500,000 in attorney’s fees to the relators.

This is the first FCA settlement under the DOJ’s Civil Cyber-Fraud Initiative and will certainly not be the last. As we previously predicted, we expect DOJ’s announcement of the initiative five months ago to lead to an uptick in FCA investigations, settlements, and litigation concerning cybersecurity issues and increased interest by those in the relator’s bar for qui tam actions. Notably, this settlement suggests that DOJ will not limit its enforcement actions to a contractor’s failure to satisfy its obligations under the standard Federal Acquisition Regulation or Defense Federal Acquisition Regulations safeguarding clauses, but will broadly consider noncompliance with other information and data security provisions to be an appropriate hook for FCA liability.