DOJ’s Civil Cyber Fraud Initiative Could Find Health Care Companies Exposed on Multiple Fronts

The new Civil Cyber Fraud Initiative of the U.S. Department of Justice’s use of the punitive False Claims Act (FCA) and its whistleblower provisions has some important legal and risk management considerations for the health industry. Because enforcement will initially occur largely through civil investigations applying the FCA in the broadest possible way, health care organizations should undertake a priority assessment of their cybersecurity status to ensure that their practices can withstand hacks, whistleblowers and government scrutiny.

It seems that DOJ enforcement policy in this regard is all stick and no carrots.

Cybersecurity Is an Urgent Priority for the Biden Administration

U.S. President Joseph Biden issued an executive order on May 12, 2021, to improve and modernize the nation’s cybersecurity, noting that recent cybersecurity incidents commonly demonstrated insufficient cybersecurity defenses. The executive order dovetailed with the DOJ’s reported launch of its own cybersecurity strategy for defending and deterring emerging cyberthreats. On October 6, 2021, Deputy Attorney General Lisa Monaco announced the DOJ’s Civil Cyber Fraud Initiative, explaining that its objective is to hold entities and individuals accountable that put U.S. information or data at risk. Further explaining the initiative in a public speech, Brian Boynton, acting assistant attorney general for the DOJ’s Civil Division, cited the FCA as a natural fit to pursue knowing failures to comply with cybersecurity standards, and acknowledged that whistleblowers with inside information have been and will be critical to identifying and pursuing evolving fraud schemes.

DOJ’s New Civil Cyber Fraud Initiative Has Important Goals

In the crosshairs of the initiative are government contractors and grant recipients that knowingly provide deficient cybersecurity products and services, knowingly misrepresent their cybersecurity practices and protocols, or knowingly violate obligations to monitor and report cyber incidents and breaches. DOJ officials also identify other important policy goals that may not be well associated with the traditional FCA objective of recovering money for the public fisc.

Some of the goals cited by DOJ officials include: improving cybersecurity practices generally by raising the bar of federal requirements; bolstering cybersecurity compliance efforts within industry; leveling the playing field between competitors that invest in cybersecurity and those that do not; and supporting the work of government experts to identify, create, and patch cyber vulnerabilities. These goals are not anti-fraud goals and may require significant updates to existing regulations and contract provisions to meet the relevant statutory definitions in the FCA, notably the definition of “obligation.”

For the health industry, the implications of the initiative should be broadly assessed. FCA cyber fraud exposure is now a parallel exposure to federal Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health Act, and state law enforcement with potentially much graver consequences. Directly impacted are healthcare contractors whether governed by the Federal Acquisition Regulation, U.S. Department of Veterans Affairs, or other agency procurement regulations. Grant recipients such as academic medical centers that get research funds or have other contracted services will be in the zone of danger for cyber fraud exposure. All healthcare organizations must anticipate that untimely or incomplete cyber breach notices may be pursued under the FCA, compelling as part of any response strategy an updated assessment of broader voluntary disclosures than legally mandated.

The risk of ensuring cybersecurity has shifted to private organizations that do business with the government and that simultaneously can be a victim of a cyber incident and a wrongdoer in violation of the FCA. It seems that DOJ enforcement policy in this regard is all stick and no carrots.

Call to Whistleblowers With Inside Expert Cyber Knowledge

In rolling out the cyber fraud initiative, DOJ officials highlighted the important role whistleblowers play, especially insiders who have the technical expertise in this highly complex area and are in the best position to know of and detect cyber incidents. The DOJ has set up special hotline reporting to get real-time tips of cyber threats. It is not clear that cyber threats, even breaches, will always correspond to provable FCA damages predictably enough to interest the whistleblower bar to invest in whistleblower cyber fraud investigations and filings. The nature of such threats are often immediate and will require a whistleblower to act first and determine commercial personal interests later to avoid injury to U.S. information or data.

Using FCA For Non-Fraud Policy Goals: What’s Old Is New Again

Or, it could be said, it’s déjà vu all over again. Even though the FCA is not a general fraud statute, or to be used for mere regulatory violations and breach of contract provisions, it is the DOJ’s statute of choice for pursuing government contractors and grant recipients that have put U.S. information and data at risk. Maybe this is because as a civil statute where specific intent to defraud is not required the evidentiary standards are low and its whistleblower provisions have been so successful. It is reasonable to predict that the objectives of the initiative will morph to the health industry at large to civilly prosecute failures to prevent cyberattacks and untimely breach notifications by healthcare providers, even though US Department of Health and Human Services and state laws generally have this authority administratively and have been aggressive in pursuing breaches impacting protected health information. It is also probable that government agencies will need to update contract templates, bid provisions, and procurement or other regulations to make clear that cybersecurity is a material element of the relationship with the government and deficiencies in performance are material to payment. Legally, materiality is not presumed and the FCA case law in recent years on attempting to call cybersecurity noncompliance a fraud on the government is not promising for the government’s new initiative. (See US ex rel. Adams v. Dell Computer, NO. 15-cv-608 (D.DC. 2020): Qui tam alleging sale of computer products with undisclosed hardware vulnerabilities dismissed on materiality grounds.)

A laudable policy goal may not always be the best use of the FCA, which requires some nexus between a claim for federal money and a lie. The cyber fraud initiative will have to be nimble and selective to avoid the quagmire of the 20-year nursing home quality of care enforcement initiative where the DOJ sought to use the FCA to improve nursing home quality of care notwithstanding the legal obstacles to using a punitive civil fraud statute to achieve regulatory reform of an industry. Using the FCA for regulatory violations or contract breaches or mere negligence has contributed to many judicial decisions that seem unfavorable to anti-fraud initiatives or restrictive to the novel use of the FCA and reflect the limited scope of a highly punitive fraud statute.

What to Do Now?

Debating whether it’s a good idea to use the FCA to modernize cybersecurity will make for lots of legal and policy arguments on blogs and in conference rooms and courtrooms. Maybe the initiative will fizzle if whistleblower tips and actions do not materialize. For now, healthcare organizations should focus pragmatically on why cybersecurity is so critical to its business mission, including employee, patient, government and public trust.

Some steps that all organizations can do to manage risk include:

• Assess and update the cybersecurity response plan.
• Update the compliance disclosure program to expressly include IT and cyber issues.
• Assess and update relevant contracts with suppliers and vendors to account for FCA cyber exposure, including breach assessment and correction action plan rights.
• Assess and update insurance policies to anticipate broader and different investigations following cyber incidents.

This article first appeared as an insight from Morgan Lewis. It is reprinted here with permission.