No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

DOJ’s Civil Cyber Fraud Initiative Could Find Health Care Companies Exposed on Multiple Fronts

Biden Admin Plans to Tap a Familiar Tactic in Policing Cybersecurity. Implications Are Potentially Massive for Health Care Compliance Teams.

by Kathleen McDermott and Mark Krotoski
February 22, 2022
in Cybersecurity, Fraud
DOJ hq in Washington

V_E, Shutterstock.


The Biden Administration and DOJ intend to pursue cyber fraud through the False Claims Act (FCA), with an emphasis on whistleblower reporting. The implications could be devastating for unsuspecting health care compliance teams and lead to multiple exposures to enforcement. 

The new Civil Cyber Fraud Initiative of the U.S. Department of Justice’s use of the punitive False Claims Act (FCA) and its whistleblower provisions has some important legal and risk management considerations for the health industry. Because enforcement will initially occur largely through civil investigations applying the FCA in the broadest possible way, health care organizations should undertake a priority assessment of their cybersecurity status to ensure that their practices can withstand hacks, whistleblowers and government scrutiny.

It seems that DOJ enforcement policy in this regard is all stick and no carrots.

Cybersecurity Is an Urgent Priority for the Biden Administration

U.S. President Joseph Biden issued an executive order on May 12, 2021, to improve and modernize the nation’s cybersecurity, noting that recent cybersecurity incidents commonly demonstrated insufficient cybersecurity defenses. The executive order dovetailed with the DOJ’s reported launch of its own cybersecurity strategy for defending and deterring emerging cyberthreats. On October 6, 2021, Deputy Attorney General Lisa Monaco announced the DOJ’s Civil Cyber Fraud Initiative, explaining that its objective is to hold entities and individuals accountable that put U.S. information or data at risk. Further explaining the initiative in a public speech, Brian Boynton, acting assistant attorney general for the DOJ’s Civil Division, cited the FCA as a natural fit to pursue knowing failures to comply with cybersecurity standards, and acknowledged that whistleblowers with inside information have been and will be critical to identifying and pursuing evolving fraud schemes.

DOJ’s New Civil Cyber Fraud Initiative Has Important Goals

In the crosshairs of the initiative are government contractors and grant recipients that knowingly provide deficient cybersecurity products and services, knowingly misrepresent their cybersecurity practices and protocols, or knowingly violate obligations to monitor and report cyber incidents and breaches. DOJ officials also identify other important policy goals that may not be well associated with the traditional FCA objective of recovering money for the public fisc.

Some of the goals cited by DOJ officials include: improving cybersecurity practices generally by raising the bar of federal requirements; bolstering cybersecurity compliance efforts within industry; leveling the playing field between competitors that invest in cybersecurity and those that do not; and supporting the work of government experts to identify, create, and patch cyber vulnerabilities. These goals are not anti-fraud goals and may require significant updates to existing regulations and contract provisions to meet the relevant statutory definitions in the FCA, notably the definition of “obligation.”

For the health industry, the implications of the initiative should be broadly assessed. FCA cyber fraud exposure is now a parallel exposure to federal Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health Act, and state law enforcement with potentially much graver consequences. Directly impacted are healthcare contractors whether governed by the Federal Acquisition Regulation, U.S. Department of Veterans Affairs, or other agency procurement regulations. Grant recipients such as academic medical centers that get research funds or have other contracted services will be in the zone of danger for cyber fraud exposure. All healthcare organizations must anticipate that untimely or incomplete cyber breach notices may be pursued under the FCA, compelling as part of any response strategy an updated assessment of broader voluntary disclosures than legally mandated.

The risk of ensuring cybersecurity has shifted to private organizations that do business with the government and that simultaneously can be a victim of a cyber incident and a wrongdoer in violation of the FCA. It seems that DOJ enforcement policy in this regard is all stick and no carrots.

Call to Whistleblowers With Inside Expert Cyber Knowledge

In rolling out the cyber fraud initiative, DOJ officials highlighted the important role whistleblowers play, especially insiders who have the technical expertise in this highly complex area and are in the best position to know of and detect cyber incidents. The DOJ has set up special hotline reporting to get real-time tips of cyber threats. It is not clear that cyber threats, even breaches, will always correspond to provable FCA damages predictably enough to interest the whistleblower bar to invest in whistleblower cyber fraud investigations and filings. The nature of such threats are often immediate and will require a whistleblower to act first and determine commercial personal interests later to avoid injury to U.S. information or data.

Using FCA For Non-Fraud Policy Goals: What’s Old Is New Again

Or, it could be said, it’s déjà vu all over again. Even though the FCA is not a general fraud statute, or to be used for mere regulatory violations and breach of contract provisions, it is the DOJ’s statute of choice for pursuing government contractors and grant recipients that have put U.S. information and data at risk. Maybe this is because as a civil statute where specific intent to defraud is not required the evidentiary standards are low and its whistleblower provisions have been so successful. It is reasonable to predict that the objectives of the initiative will morph to the health industry at large to civilly prosecute failures to prevent cyberattacks and untimely breach notifications by healthcare providers, even though US Department of Health and Human Services and state laws generally have this authority administratively and have been aggressive in pursuing breaches impacting protected health information. It is also probable that government agencies will need to update contract templates, bid provisions, and procurement or other regulations to make clear that cybersecurity is a material element of the relationship with the government and deficiencies in performance are material to payment. Legally, materiality is not presumed and the FCA case law in recent years on attempting to call cybersecurity noncompliance a fraud on the government is not promising for the government’s new initiative. (See US ex rel. Adams v. Dell Computer, NO. 15-cv-608 (D.DC. 2020): Qui tam alleging sale of computer products with undisclosed hardware vulnerabilities dismissed on materiality grounds.)

A laudable policy goal may not always be the best use of the FCA, which requires some nexus between a claim for federal money and a lie. The cyber fraud initiative will have to be nimble and selective to avoid the quagmire of the 20-year nursing home quality of care enforcement initiative where the DOJ sought to use the FCA to improve nursing home quality of care notwithstanding the legal obstacles to using a punitive civil fraud statute to achieve regulatory reform of an industry. Using the FCA for regulatory violations or contract breaches or mere negligence has contributed to many judicial decisions that seem unfavorable to anti-fraud initiatives or restrictive to the novel use of the FCA and reflect the limited scope of a highly punitive fraud statute.

What to Do Now?

Debating whether it’s a good idea to use the FCA to modernize cybersecurity will make for lots of legal and policy arguments on blogs and in conference rooms and courtrooms. Maybe the initiative will fizzle if whistleblower tips and actions do not materialize. For now, healthcare organizations should focus pragmatically on why cybersecurity is so critical to its business mission, including employee, patient, government and public trust.

Some steps that all organizations can do to manage risk include:

  • Assess and update the cybersecurity response plan.
  • Update the compliance disclosure program to expressly include IT and cyber issues.
  • Assess and update relevant contracts with suppliers and vendors to account for FCA cyber exposure, including breach assessment and correction action plan rights.
  • Assess and update insurance policies to anticipate broader and different investigations following cyber incidents.

This article first appeared as an insight from Morgan Lewis. It is reprinted here with permission.


Tags: Cyber RiskCybercrimeFalse Claims Act (FCA)Health CareWhistleblowing
Previous Post

10 Questions You Should Ask About Risk Management

Next Post

Protecht Group Lands $30M in Series A Funding From Arrowroot Capital

Kathleen McDermott and Mark Krotoski

Kathleen McDermott and Mark Krotoski

mcdermottA former Assistant U.S. Attorney and U.S. Department of Justice (DOJ) Healthcare Fraud Coordinator, Kathleen McDermott, a partner at global law firm Morgan, Lewis & Bockius LLP, represents healthcare and life sciences clients throughout the United States in federal and state government investigations and litigation matters relating to criminal, civil, and administrative allegations, including violations of the False Claims Act and its whistleblower provisions. She is a recipient of the HHS Inspector General’s Integrity Award for her work in government healthcare fraud matters and has been recognized as a leading False Claims Act practitioner with both government and defense experience. Kathleen also advises Boards of Directors and senior corporate management on corporate compliance matters relating to internal investigations, voluntary government disclosures, consent decrees, and corporate integrity agreements. KrotoskiMark Krotoski, partner and co-leader of the Morgan, Lewis & Bockius LLP Privacy & Cybersecurity Practice, represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice, Mark has handled a variety of complex and novel investigations and high-profile cases. As the assistant chief of the National Criminal Enforcement Section in the DOJ’s Antitrust Division, he oversaw international criminal antitrust cartel investigations and successfully led trial teams in prosecuting antitrust and obstruction of justice cases involving corporations and executives.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

The Anti-Kickback Statute: 2023 – Year In Review

The Anti-Kickback Statute: 2023 – Year In Review

by Aarti Maharaj
February 22, 2023

This webinar will focus on cases and enforcement actions taken by the HHS OIG and its law enforcement partners in...

Next Post
protecht series a

Protecht Group Lands $30M in Series A Funding From Arrowroot Capital

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT