DOJ’s civil cyber-fraud initiative borrows a law the healthcare industry knows well | Morgan Lewis – Health Law Analysis

The U.S. Department of Justice’s New Civilian Cyber ​​Fraud Initiative Utilizes the Punitive False Claims Act (FCA) and its Whistleblower Provisions Has Important Legal and Risk Management Considerations for the Healthcare Industry . Given that enforcement will initially largely be through civilian investigations applying the FCA as broadly as possible, healthcare organizations should undertake a priority assessment of their cybersecurity status to ensure their ensure their practices can withstand hacks, whistleblowers and government scrutiny.


US President Joseph Biden issued an executive order on May 12, 2021, to improve and modernize the country’s cybersecurity, noting that recent cybersecurity incidents have generally demonstrated insufficient cybersecurity defenses. The executive order was consistent with the DOJ announced the launch of its own cybersecurity strategy to defend and deter emerging cyber threats. On October 6, 2021, the Deputy Attorney General Lisa Monaco Announces DOJ’s Civil Cyber-Fraud Initiative, explaining that its goal is to hold accountable entities and individuals who put US information or data at risk. Explain the initiative in more detail in a public speechBrian Boynton, acting assistant attorney general for the DOJ’s Civil Division, cited the FCA as a natural candidate to prosecute knowing breaches of cybersecurity standards, and acknowledged that whistleblowers with inside information have been and will be key to identifying and continue the evolution of fraud. diets.


In the initiative’s sights are government contractors and grant recipients who knowingly provide deficient cybersecurity products and services, knowingly misrepresent their cybersecurity practices and protocols, or knowingly violate obligations to monitor and report cyber incidents and violations. DOJ officials also identify other important policy goals that may not mesh well with the FCA’s traditional goal of recovering money for the public tax office. Some of the goals cited by DOJ officials include: improving cybersecurity practices in general by raising the bar of federal requirements; strengthen cybersecurity compliance efforts within the industry; level the playing field between competitors who invest in cybersecurity and those who do not; and support the work of government experts to identify, create and fix cyber vulnerabilities. These purposes are not anti-fraud purposes and may require significant updates to existing regulations and contractual provisions to meet relevant FCA legal definitions, including the definition of “obligation”.

For the healthcare industry, the implications of the initiative should be widely assessed. The FCA’s cyber fraud exposure is now a parallel exposure to the Federal Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act and to state law enforcement with potentially much more serious consequences. Healthcare providers are directly affected, whether governed by the Federal Acquisition Regulation, the US Department of Veterans Affairs, or other agency procurement regulations. Grant recipients such as academic medical centers that receive research funds or have other contracted services will be in the danger zone of exposure to cyber fraud. All healthcare organizations should anticipate that untimely or incomplete cyber breach notices may be prosecuted under the FCA, requiring as part of any response strategy an updated assessment of voluntary disclosures broader than those legally mandated.

The risk of ensuring cybersecurity has shifted to private organizations that do business with the government and can be both victims of a cyber incident and a criminal in violation of the FCA. It seems that Justice Department enforcement policy in this regard is all sticks and no carrots.


While rolling out the Cyber ​​Fraud Initiative, DOJ officials emphasized the important role that whistleblowers play, especially insiders who have the technical expertise in this highly complex area and are best placed to know and detect cyber incidents. The DOJ has set up special hotline reports for real-time advice on cyber threats. It is not clear that cyber threats, even breaches, will always amount to provable damages from the FCA predictable enough to interest the whistleblower bar in investing in whistleblower investigations and filings on cyber fraud. The nature of these threats is often immediate and will require a whistleblower to act first and then determine personal business interests in order to avoid harm to US information or data.


Or, you might say, déjà vu all over again. While the FCA is not general fraud law, nor should it be used for simple violations of regulations and contract terms, it is the DOJ’s law of choice for prosecuting government contractors and beneficiaries of grants that put US information and data at risk. This may be because as a civil law where specific intent to defraud is not required, the standards of proof are low and its whistleblower provisions have been so effective. It is reasonable to predict that the goals of the initiative will transform for the healthcare industry as a whole to civilly prosecute failures to prevent cyberattacks and nuisance breach notifications by healthcare providers, even if the US Department of Health and Human Services and state laws generally have this authority. administratively and have been aggressive in pursuing breaches that impact protected health information. It is also likely that government agencies will need to update contract templates, tender provisions, and procurement or other regulations to make it clear that cybersecurity is an important element of the relationship with government and that performance deficiencies are material to payment. Legally, materiality is not presumed and FCA case law in recent years on the attempt to call cybersecurity non-compliance a fraud on the government is not promising for the new government initiative. (See United States ex rel. Computer Adams vs. Dell, NO. 15-cv-608 (D.DC. 2020): Qui tam alleging sale of computer products with undisclosed hardware vulnerabilities dismissed on grounds of materiality.)

A laudable political goal may not always be the best use of the FCA, which requires linking a request for federal money to a lie. The cyber-fraud initiative will need to be nimble and selective to avoid the quagmire of the 20-year-old Nursing Home Quality of Care Enforcement Initiative where the DOJ sought to use FCA to improve quality of care in nursing homes despite legal barriers to using a punitive civil fraud law to achieve regulatory reform of an industry. The use of FCA for regulatory violations or breaches of contract or simple negligence has contributed to numerous court rulings that appear to oppose anti-fraud initiatives or restrict new use of FCA and reflect the limited scope of highly punitive fraud law.


Debating whether it’s a good idea to use the FCA to modernize cybersecurity will lead to many legal and political arguments on blogs and in boardrooms and courtrooms. Perhaps the initiative will fail if the advice and actions of the whistleblowers do not materialize. For now, healthcare organizations need to pragmatically focus on why cybersecurity is so critical to their business mission, including employee, patient, government and public trust.

Some steps all organizations can take to manage risk include:

  • Evaluate and update the cybersecurity response plan.
  • Update the compliance disclosure program to expressly include IT and cyber issues.
  • Assess and update relevant contracts with vendors and vendors to account for FCA cyber exposure, including breach assessment and remediation action plan entitlements.
  • Evaluate and update insurance policies to anticipate broader and different investigations following cyber incidents.

For more information or to listen to the recording, check out our recent quick break: DOJ’s Civilian Cyber ​​Fraud Initiative and Implications for the Healthcare Industry.

[View source.]