Health Company Liable For Substandard Data Protection

Writing in FCPA blog, Annie Hudgins discusses compliance lessons to be drawn from the recently announced settlement between the U.S. Department of Justice and Comprehensive Health Services LLC. The Health company will pay $930,000 to resolve, among other things, its violation of the False Claims Act. According to the DOJ’s announcement, Comprehensive Health made false representations to the State Department and the Air Force, indicating that it had complied with contract requirements related to medical services it provided at facilities in Iraq and Afghanistan. It was the first resolution of a False Claims Act case involving cyber fraud since the launch of the DOJ’s Civil Cyber-Fraud Initiative in 2021. According to the complaint, between 2012 and 2019, the company failed to disclose that it had not consistently stored patients’ medical records on a secure EMR system. — Identify and respond to risks in contractors’ cyber uses, Hudgins advises. She says contractors should ensure any representations made to the government on the security of information are current and correct. She also notes that this settlement occurred without evidence of a cyber incident, meaning liability can exist based solely on substandard data protection practices.