Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data

Source: United States Department of Justice Criminal Division

ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, has agreed to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries. Under the resolution, AFDS will pay $306,722. It will also waive any rights to reimbursement for remediating a data breach involving the information, including at least $877,578 in costs it incurred notifying beneficiaries and providing credit monitoring. AFDS promptly notified the Centers for Medicare and Medicaid Services (CMS) of the data breach, worked with CMS to address the impact of the breach, cooperated with the Justice Department’s investigation and took other remedial measures.

“Government contractors that handle personal information must take required steps to safeguard that information from cyberattacks,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation and remediation.”

AFDS provided certain Medicare support services under a contract with CMS. The settlement resolves allegations that from March 10, 2021, through Oct. 8, 2022, AFDS and a subcontractor stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractor’s server without individually encrypting the files to protect them against exposure in the event of a breach. The subcontractor’s server employed disk-level encryption that protected files from unauthorized access but not from access using authorized credentials. The subcontractor’s server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach.

The United States alleged that the storing of screenshots on the subcontractor’s server violated AFDS’ contractual cybersecurity requirements, and that AFDS knowingly billed CMS in violation of these requirements.

“Safeguarding patients’ sensitive personal information is of paramount importance,” said Special Agent in Charge Stephen Niemczak of the Department of Health and Human Services Office of the Inspector General (HHS-OIG). “This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the health care data of all Americans and to investigate allegations of fraud, waste and abuse against the public and taxpayer-funded health care programs.”

On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.

The resolution obtained in this matter was the result of a coordinated effort between the Civil Division’s Commercial Litigation Branch, Fraud Section, and HHS-OIG.

Senior Trial Counsel Jonathan H. Gold of the Civil Division’s Fraud Section handled the matter.

The claims resolved by the settlement are allegations only. There has been no determination of liability.

Settlement