Cybersecurity Failures: False Claims Act & Healthcare Organizations

Executive Summary 

The new Civil Cyber-Fraud Initiative allows the DOJ to pursue False Claims Act (FCA) liability against government contractors within the cybersecurity space. As there is a new weapon in the DOJ’s already powerful arsenal, it is imperative that healthcare providers take note and understand their responsibilities to mitigate any potential cyber liability risks. 

Recommended Actions  

• Ensure that vendors your healthcare practice uses are current on their cybersecurity measures. 
• Ensure that your healthcare practice has an up-to-date cybersecurity policy and all staff members are appropriately trained regarding it. 
• Ensure that your healthcare practice has implemented a breach response plan and all staff are appropriately trained regarding it. 

According to a recent survey, more than one-third of healthcare organizations reported being hit by ransomware attacks in 2020. Healthcare organizations are targeted because they are more likely to pay ransom compared to businesses in many other sectors, a behavior that is probably linked to the significant consequences healthcare organizations face if patient information is leaked or made inaccessible.    

Although healthcare organizations and their vendors have been required to implement adequate security measures and report data breaches under HIPAA for more than a decade now, some have chosen not to invest in adequate cybersecurity measures and remain silent after a breach occurs with the hopes of avoiding resulting investigations, fines and negative press.   

To deter such behavior, the Department of Justice (DOJ) has announced a new Civil Cyber-Fraud Initiative that will use the False Claims Act (FCA) to pursue government contractors and grant recipients that: (1) knowingly fail to monitor and report cyber data breaches, (2) knowingly implement inadequate cybersecurity measures or (3) knowingly misrepresent their cybersecurity practices. 

Part of the DOJ’s reasoning in applying the FCA to these three new categories is that an organization’s failure to adequately protect patient information deprives the government of what it bargained for, which is deemed a false claim. Because most healthcare organizations qualify as government contractors by way of participating in Medicare/Medicaid, this extension of the FCA to cybersecurity practices will put the majority of them at much greater risk of running afoul of the FCA. 

What really gives the FCA teeth is its qui tam (whistleblower) provision, which allows persons not affiliated with the government to initiate lawsuits over alleged FCA violations on the government’s behalf. This provision permits whistleblowers (who are most often employees or contractors) to initiate an action against an organization that violates the FCA.   

Of the $2.2 billion the government collected in 2020 in settlements and judgments from FCA violations, the overwhelming majority (more than $1.6 billion) arose from actions initiated by whistleblowers. FCA incentives most likely contribute to the prevalence of whistleblower-initiated actions. The FCA awards whistleblowers 15% to 30% of the amount the government collects. In 2020 alone, the government paid approximately $309 million to 672 FCA whistleblowers, which comes to an average award of more than $450,000 per whistleblower. 

The DOJ’s broadening of the FCA to cover cybersecurity deficiencies, in effect, now makes every employee a potential cybersecurity auditor with a substantial financial interest in the successful prosecution of the organization. Because most healthcare organizations are subject to this increased FCA enforcement, it is more important than ever for organizations to ensure that their cybersecurity breach response and protocol plans are sufficient.  

Healthcare organizations can follow these compliance tips to decrease their likelihood of violating the cybersecurity aspects of the FCA.  

Compliance Tips 

Determine if your healthcare organization is subject to the FCA 

Because the FCA only applies to organizations that are government contractors or those that receive federal grants, healthcare organizations should first determine whether they fit in either category and are thus subject to the FCA. Most healthcare organizations will be subject to the FCA as government contractors because they treat Medicare/Medicaid patients.   

Verify that your organization’s cybersecurity protocols are sufficient and all representations are accurate 

Healthcare organizations should verify that they meet and adhere to all cybersecurity requirements in government contracts to avoid FCA allegations over failing to implement adequate cybersecurity protocols or misrepresenting the adequacy of the organization’s cybersecurity measures. A resource for Medicare/Medicaid cybersecurity requirements can be found on the Centers for Medicare & Medicaid Service (CMS) website.  

Develop a cybersecurity breach response plan 

Healthcare organizations should create a cybersecurity incident response plan that details how employees should report breaches and other unauthorized exposures of patient information. Make it clear to employees that time is of the essence in such situations and that they should err on the side of caution and report any potential breach or cybersecurity threat to management for review. 

Management should then assess the incident and determine whether notification is necessary and, if so, to whom. It is also important for healthcare organizations to respond appropriately to concerns raised by employees about breaches, insufficient security measures and cybersecurity misrepresentations. If an organization ignores or mishandles a report, an employee might feel compelled to file a whistleblower claim under the FCA.  

Review HIPAA cybersecurity breach requirements  

Although not every HIPAA cyber security violation will trigger FCA liability, violations stemming from a healthcare organization’s failure to implement adequate cybersecurity measures, misrepresentations of an organization’s cybersecurity measures or failure to report a known breach may also be considered a false claim under the FCA. Healthcare organizations should confirm that their cybersecurity protocols and breach response plans are HIPAA-compliant to avoid any investigations for HIPAA violations that could also lead to the discovery of FCA violations.  

Provide ongoing training to employees  

Employees should receive adequate initial and ongoing training on how to identify and report cyber breaches and other cyber-related issues that may trigger an FCA claim. A simple set of instructions on reporting such situations to management should be made available to all employees. Those instructions should make it clear that employees will not be reprimanded or otherwise punished for reporting instances that, in the end, do not warrant concern.  

Lessons Learned  

• Ensure that vendors your healthcare practice has contracted with immediately report any data breaches to your practice. 
• Ensure that your healthcare practice regularly monitors CMS’s guidelines and requirements for patient information security and privacy. 
• Train all staff members to err on the safe side and bring any potential data breach to the immediate attention of management for review. 

Potential Damages 

Healthcare organizations that maintain inadequate cybersecurity measures or that fail to monitor for or report a data breach can face a False Claims Act violation as well as a HIPAA breach. This means healthcare providers now face severe financial penalties and damages for any violation. As this initiative is still new, the frequency of such violations is relatively low; however, providers would be wise to stay clear of any sort of violation given the potential damages at stake.