The DOJ began casting a wider net for False Claims Act enforcement years before the pandemic broke out. Now with large-scale suspected EIDL and PPP fraud, companies need to double- and triple-check the accuracy of their applications or face the inevitable consequences.
In the last year, Congress passed two of the largest relief bills in modern history and made an unprecedented amount of federal funds available to businesses to help them survive the COVID-19 pandemic. The Trump and Biden administrations released a combined total of $3.1 trillion. These immense benefits, of course, come with strings attached; among them, heightened responsibilities under the False Claims Act (FCA).
The False Claims Act Was Passed During the Civil War. It’s Scope of Enforcement Has Steadily Expanded.
Congress enacted the FCA in 1863 to combat fraud by defense contractors during the Civil War. The bill made it illegal for any individual or entity to knowingly submit, or cause another to submit, false claims to the federal government for payment. Those familiar with the history of the FCA know the Civil War accounts of contractors who sold the Union Army decrepit mules, uniforms that would dissolve in rain (hence the popular use of the term, “shoddy”) and even ships that were sold as new, but when put into battle were exposed as having rotten, painted-over hulls. Similar accounts can be found throughout other crises in United States history. Today, any individual or entity that submits a false claim is liable for three times the government’s damages plus a civil penalty, currently between $11,665 and $23,331 per claim.
Recent public remarks and early enforcement activity show the government has a hearty appetite to pursue FCA cases and to look beyond traditional defendants. Republican Senator Chuck Grassley of Iowa is arguably the staunchest advocate of the FCA. In a July 2020 speech celebrating Whistleblower Appreciation Day, he said:
“Since I led the effort to amend [the FCA] back in 1986, False Claims Act cases have recovered more than $62 billion for taxpayers. … And the False Claims Act has never been more important than it is right now…”
Remarking recently on the Department of Justice’s newly announced COVID-19 Fraud Task Force, Attorney General Merrick Garland stated, “the Department of Justice will use every available federal tool — including criminal, civil and administrative actions — to combat and prevent COVID-19-related fraud.” He made it clear that the Task Force would feature several departments alongside the DOJ — including Labor, Treasury, Homeland Security, the SBA, the VA and FDIC — as well as the Special Inspector General for Pandemic Relief (SIGPR) and the Pandemic Response Accountability Committee (PRAC). To date, the results are notable: the DOJ has charged nearly 600 defendants over the past year for alleged attempts to fraudulently obtain over $600 million in COVID-19 relief funds.
Over the past few years, both the government and FCA relators (whistleblowers) have targeted more types of defendants than they have ever previously. While defense contractors, health care providers (hospitals and physicians), health care suppliers (pharma, device and equipment) and other more traditional defendants are still a central focus of most FCA cases, new companies that should consider potential exposure under the FCA include software vendors, private equity financiers, sureties, insurance companies and educational institutions.
For example, last year, an electronic health records (EHR) software company, Practice Fusion, paid approximately $145 million to resolve criminal and civil investigations relating to its EHR software and whether it ran afoul of the Anti-Kickback Statue (AKS). Practice Fusion operated a largely free EHR service for medical providers but earned revenue by selling “clinical decision support” alerts to pharmaceutical companies. These alerts prompted doctors to take certain clinical actions, such as performing tests, based on a patient’s profile. In the case at issue, Practice Fusion designed an alert specifically to encourage doctors to prescribe extended release opioids regardless of medical efficacy. Although Practice Fusion did not directly submit any claims to the government, it still faced significant liability for having caused providers to submit false claims through its alert.
Likewise, in September of 2019, the U.S. settled a civil FCA case for $21.6 million against, among others, Riordan, Lewis, & Haden, Inc. (RLH), a private equity firm. Like Practice Fusion, RLH had no direct contractual relationship with the government, but one of the portfolio companies that it managed did. The portfolio company allegedly paid outside “marketers” to target military members and their families for expensive prescriptions to ensure the highest possible insurance reimbursement. Although it was not the primary actor, RLH, in managing the portfolio company, “knew of and agreed to” the plan to pay third parties to generate referrals “regardless of patient need,” and, thus, faced liability.
Similarly, in an ongoing action, a former employee of a construction company brought a qui tam action against 18 defendants, including not only his former employer, but also sureties and a bond producer (“bonding defendants”). The relator alleged, among other claims, that the bonding defendants enabled the construction company to create fraudulent shell companies in order to obtain preferential status to ultimately win set-aside government contracts. The court permitted the case to proceed against the bonding defendants on the theory that through the underwriting process, they knew or should have known that the construction company made false claims and nevertheless issued surety bonds.
In higher education, Duke University in March 2019 agreed to pay a $112.5 million settlement to resolve a qui tam action. The action alleged that Duke researchers “authored numerous scientific publications based on fraudulent research funded by public grants.” After receiving indications that one of the researchers at issue embezzled from the university, Duke fired the researcher and conducted a review of her and her team’s research. However, even after finding fraudulent activity related to the research, Duke continued to submit grant applications and progress reports based on the fraudulent data and failed to report its findings to government grant providers. Ultimately, Duke faced liability in part on a “reverse FCA” theory — Duke, like many COVID-relief recipients, received government funds for research by the team that should have been returned to the government, and it did not do so.
Recently, in January 2021, the DOJ announced the first civil settlement resolving allegations of fraud involving loans pursuant to COVID-relief. SlideBelts, Inc., an internet retail company, falsely certified to federally insured banks that the company was not in bankruptcy proceedings in order to obtain a $350,000 loan through the Paycheck Protection Program (PPP). A DOJ/SBA investigation ensued, resulting in the company agreeing to pay $100,000 in penalties and damages, plus the amount of the loan, to settle claims. This relatively small loan amount fell below the Small Business Administration’s $2 million “safe harbor” threshold; however, the safe harbor did not deter DOJ enforcement. The GAO has since added emergency loans for small businesses to its “High Risk List,” specifically citing the potential for fraud in permitting self-certification.
1. Early COVID-19 relief cases have focused on loan applications and supporting documents.
Not surprisingly, the first wave of COVID-19 relief enforcement actions has focused on straightforward violations in loan applications and supporting documents. Most of these have been criminal fraud-based actions against individuals. However, the SlideBelts settlement shows that the DOJ will bring enforcement actions against corporate loan recipients, even of smaller loans.
2. Enforcement is not always limited to the direct fund recipients.
Actions against sureties, technology vendors and private equity backers show that FCA liability is not limited to those parties directly contracting with the government. In 2020, Ethan Davis, then-Principal Deputy Assistant Attorney General warned in a speech that when a private equity firm “invests in a company in a highly-regulated space … the firm should be aware of laws and regulations designed to prevent fraud” and, where “a private equity firm takes an active role in illegal conduct by the acquired company, it can expose itself to False Claims Act liability.” With such a significant amount of aid going to small businesses, investors will face increased scrutiny — regardless of whether those entities have sophisticated government contract compliance capabilities.
3. Examine any heightened responsibilities that come with doing business with the government.
Contracting with the government — whether as a funds recipient or by providing goods or services — differs significantly from doing business with a private party. What might otherwise be common practice in commercial contracting can result in serious liability with the government. Thus, companies should carefully review all obligations that come with government contracts, particularly those involving complex certifications, like cybersecurity, in which the DOJ has shown a strong interest (and given recent events, will surely continue to do so).
4. Always investigate allegations of wrongdoing quickly and thoroughly.
Early and swift action is key to minimizing any damage that might come with a government contract breach. The government has voluntary disclosure options for contractors acting in good faith, and there are times when disclosure is mandatory. Delaying remedial action in these cases can come with significant consequences. Information that is discovered may trigger FCA obligations, even if, as shown above, it came through underwriting or due diligence.
5. Don’t hesitate to call a duck a duck. Understand the factors that create FCA risk, and seek advice accordingly.
There are broad implications of bad behavior for government contractors and fund recipients. For example, if an employee falsifies records — like in the Duke case — that misconduct can have significant consequences where those records have been relied on in seeking funds from, or reporting results to, the government. Treating incidents like these as strictly employment problems can leave a company vulnerable.
 The DOJ has aggressively enforced cases against health care vendors and related corporate entities. For example, in January, the DOJ settled with a health care technology vendor, athenahealth, for $18.25 million for alleged FCA violations and, similarly, in April settled with an EHR software provider, CareCloud, for $3.8 million.
 The DOJ announced another settlement with a private equity fund and its portfolio company in November 2020. Medical Device Business Services (MDBS) paid $10 million to settle FCA allegations and its private equity backer, The Gores Group, paid an additional $1.5 million to resolve allegations MDBS continued improper practices after The Gores Group acquired it.
 Outside auditors face similar risks. For example, in 2018, Deloitte paid $149.5 million to resolve FCA allegations arising from its role as an independent outside auditor for a mortgage originator, Taylor Bean & Whitaker.
 In late 2015, the University of Florida faced a similar action, in which it agreed to pay $19.9 million to resolve allegations that it diverted grant funds away from the projects for which those grants were provided. Similarly, on May 10, 2021, the University of Miami agreed to pay $22 million to resolve FCA allegations related to its hospital and laboratories.
 Likewise, in April, the DOJ settled an FCA action against Professional Medical Corporation and its owner for allegedly making false certifications to obtain two PPP loans for $70,000 and $430,000. Here, as in Slidebelts, the relatively small amounts of the loans at issue did not deter enforcement.