Regulation of Medicine

Article

Cybersecurity Failures, the False Claims Act and What They Mean for Healthcare Organizations

According to a recent survey, more than one-third of healthcare organizations reported being hit by ransomware attacks in 2020. Healthcare organizations are targeted because they are more likely to pay ransom compared to businesses in many other sectors, a behavior that is probably linked to the significant consequences healthcare organizations face if patient information is leaked or made inaccessible.   

While healthcare organizations and their vendors have been required to implement adequate security measures and report data breaches under HIPAA for more than a decade now, some have chosen not to invest in adequate cybersecurity measures and remain silent after a breach occurs with the hopes of avoiding resulting investigations, fines and negative press.  

To deter such behavior, the Department of Justice (DOJ) has announced a new Civil Cyber-Fraud Initiative that will use the False Claims Act (FCA) to pursue government contractors and grant recipients that: (1) knowingly fail to monitor and report data breaches, (2) knowingly implement inadequate cybersecurity measures, or (3) knowingly misrepresent their security practices.

Part of the DOJ’s reasoning in applying the FCA to these three new categories is that an organization’s failure to adequately protect patient information deprives the government of what it bargained for, which is deemed a false claim. Because most healthcare organizations qualify as government contractors by way of participating in Medicare/Medicaid, this extension of the FCA to cybersecurity practices will put the majority of them at much greater risk of running afoul of the FCA.

What really gives the FCA teeth is its qui tam (whistleblower) provision, which allows persons not affiliated with the government to initiate lawsuits over alleged FCA violations on the government’s behalf. This provision permits whistleblowers (who are most often employees or contractors) to initiate an action against an organization that violates the FCA.  

Of the $2.2 billion the government collected in 2020 in settlements and judgments from FCA violations, the overwhelming majority (more than $1.6 billion) arose from actions initiated by whistleblowers. FCA incentives most likely contribute to the prevalence of whistleblower-initiated actions. The FCA awards whistleblowers 15% to 30% of the amount the government collects. In 2020 alone, the government paid approximately $309 million to 672 FCA whistleblowers, which comes to an average award of more than $450,000 per whistleblower.         

The DOJ’s broadening of the FCA to cover cybersecurity deficiencies, in effect, now makes every employee a potential cybersecurity auditor with a substantial financial interest in the successful prosecution of the organization. Because most healthcare organizations are subject to this increased FCA enforcement, it is more important than ever for organizations to ensure that their cybersecurity protocols and breach response plans are sufficient.

Healthcare organizations can follow these compliance tips to decrease their likelihood of violating the cybersecurity aspects of the FCA.

Compliance Tips

1. Determine if your organization is subject to the FCA

Because the FCA only applies to organizations that are government contractors or those that receive federal grants, healthcare organizations should first determine whether they fit in either category and are thus subject to the FCA. Most healthcare organizations will be subject to the FCA as government contractors because they treat Medicare/Medicaid patients.  

2. Verify that your organization’s cybersecurity protocols are sufficient and all cybersecurity representations are accurate

Healthcare organizations should verify that they meet and adhere to all cybersecurity requirements in government contracts to avoid FCA allegations over failing to implement adequate cybersecurity protocols or misrepresenting the adequacy of the organization’s cybersecurity measures. A resource for Medicare/Medicaid cybersecurity requirements can be found on the Centers for Medicare & Medicaid Service (CMS) website.

3. Develop a cybersecurity incident response plan

Healthcare organizations should create a cybersecurity incident response plan that details how employees should report breaches and other unauthorized exposures of patient information. Make it clear to employees that time is of the essence in such situations and that they should err on the side of caution and report any potential breach or cybersecurity threat to management for review.

Management should then assess the incident and determine whether notification is necessary and, if so, to whom. It is also important for healthcare organizations to respond appropriately to concerns raised by employees about breaches, insufficient security measures and cybersecurity misrepresentations. If an organization ignores or mishandles a report, an employee might feel compelled to file a whistleblower claim under the FCA.

4. Review HIPAA cybersecurity requirements

While not every HIPAA violation will trigger FCA liability, violations stemming from a healthcare organization’s failure to implement adequate cybersecurity measures, misrepresentations of an organization’s cybersecurity measures, or failure to report a known breach may also be considered a false claim under the FCA. Healthcare organizations should confirm that their cybersecurity protocols and breach response plans are HIPAA-compliant to avoid any investigations for HIPAA violations that could also lead to the discovery of FCA violations.

5. Provide ongoing training to employees

Employees should receive adequate initial and ongoing training on how to identify and report cyber breaches and other cyber-related issues that may trigger an FCA claim. A simple set of instructions on reporting such situations to management should be made available to all employees. Those instructions should make it clear that employees will not be reprimanded or otherwise punished for reporting instances that, in the end, do not warrant concern.

 

Additional MagMutual Resources

HIPAA Toolkit – Breach Notification

Cybersecurity Toolkit

How to Respond to a Data Breach From a Third Party

State Breach Notification Laws: Overview of the Patchwork

Immediate Response to a Ransomware Attack

11/21

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.