tostphoto - stock.adobe.com

DOJ Settles First Case Under Civil Cyber-Fraud Initiative

In the DOJ’s first settlement under the Civil Cyber-Fraud Initiative, Comprehensive Health Services agreed to pay $930,000 to resolve False Claims Act allegations.

Comprehensive Health Services (CHS) agreed to a $930,000 settlement to resolve False Claims Act allegations, signifying the Department of Justice’s (DOJ) first False Claims Act settlement since launching its Civil Cyber-Fraud Initiative in October. CHS is a government-contracted provider of global medical services.

The whistleblower case alleged that CHS falsely represented to the State Department and Air Force that it was in compliance with electronic medical record (EMR) security standards. CHS allegedly submitted claims for the cost of a secure EMR system to store patient records, including those of US diplomats, service members, and officials working in Iraq and Afghanistan. But CHS allegedly failed to reliably use the EMR system.

“The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system,” the DOJ explained.

“When CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff. Even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR system.”

In another incident, CHS allegedly failed to disclose that certain substances provided to the State Department and Air Force by CHS for medical care were not actually approved by the US Food and Drug Administration (FDA) or the European Medicines Agency (EMA).

Despite its contractual obligation to provide FDA and EMA-approved substances, CHS lacked a Drug Enforcement Agency license, which is required to export drugs from the US to Iraq.

“CHS obtained controlled substances by having CHS physicians based in Florida send letters requesting that a South African physician prescribe the controlled substances,” the DOJ alleged.

“A South African shipping company then received controlled substances that were not approved by the FDA or EMA and sent them to CHS in Iraq, where CHS supplied the unapproved controlled substances to patients under the State Department and Air Force contracts.”

Deputy Attorney General Lisa O. Monaco announced the Civil Cyber-Fraud Initiative in October 2021 with the intent of increasing cyber resilience across the country by holding those who fail to follow cybersecurity standards accountable.

The Civil Cyber-Fraud Initiative goes hand-in-hand with the False Claims Act, which is “the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations,” the October announcement stated.

“Protecting the health and safety of service members, diplomats, and other government employees working abroad is of utmost importance,” Breon Peace, U.S. attorney for the Eastern District of New York, said in the settlement announcement.

“The defendants were required to maintain personal health information securely and provide only approved pharmaceuticals to patients. This settlement serves notice to federal contractors that they will be held accountable for conduct that puts private medical records and patient safety at risk.”

In an unrelated incident, CHS issued a healthcare data breach notification in February 2022. The breach occurred on September 30, 2020 and impacted 106,752 individuals. The HIPAA Breach Notification Rule requires covered entities to notify impacted individuals within 60 days of discovering the breach. There was no explanation for why it took CHS over a year to notify impacted individuals.

Next Steps

Dig Deeper on Cybersecurity strategies