DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Charge a $930,000 Penalty

The U.S. Department of Justice (DOJ) has announced the settlement reached with the healthcare services provider, Comprehensive Health Services (CHS) based in Cape Canaveral, FL to resolve alleged False Claims Act violations.

This is the first settlement reported under the DOJ Civil Cyber Fraud Initiative, which was introduced in 2021. The Civil Cyber Fraud Initiative was started to pursue cases against government contractors that knowingly utilized lacking cybersecurity tools and services which put information systems at risk, and failures to send notifications of cybersecurity incidents.

CHS together with its subsidiaries had agreements with the U.S. Air Force and the U.S. Department of State to manage medical services at U.S. military facilities in Iraq and Afghanistan. Two actions were submitted with the whistleblower terms of the False Claims Act that claimed CHS acquired payment for running those healthcare facilities yet failed to operate them in a way in line with U.S. benchmarks.

Allegedly, CHS was unable to maintain suitable staffing levels, permitted unqualified people to conduct surgery, radiology, and pharmacy services, and stated that a few of the controlled substances given to patients at the medical facilities were authorized by the U.S. Food and Drug Administration or European Medicines Agency, when those substances were imported from South Africa and were not approved. CHS was charged with bidding on the contracts to operate the medical facilities when it was advised that it could not meet its responsibilities to do so.

From 2012 to 2019, CHS submitted claims for repayment of $486,000 under its contract however did not reveal that it did not consistently keep medical records in a safe, HIPAA-compliant electronic medical record (EMR) system. CHS employees scanned medical records for the EMR system nevertheless kept scanned copies of a few records on an internal network drive, which can be accessed by non-clinical personnel, which include Iraqi nationals employed at the location. A few workers expressed concern regarding the insecure storage of private medical data, nevertheless, CHS didn’t do anything to deal with the issue and failed to make certain health records were just kept in the EMR system. CHS was additionally alleged to have been informed of a number of HIPAA breaches although failed to reveal them.

CHS agreed to settle the case with no admission of liability and decided to pay a financial penalty of $930,000 to take care of the supposed False Claims Act violations.

This settlement exhibits the department’s dedication to utilizing its civil enforcement tools to go after government contractors that fail to stick to demanded cybersecurity specifications, especially when they put secret medical records in danger, explained Principal Deputy Assistant Attorney General Brian M. Boynton, the Justice Department’s Civil Division head. It is their duty to make sure that those people who conduct business with the government adhere to their contractual commitments, such as those necessitating the protection of sensitive government information.