CHS Pays False Claims Act Settlement Involving EMR SecurityDOJ: Settlement Is First Under New Civil Cyber-Fraud Initiative
A healthcare services contractor has agreed to pay a $933,000 settlement in a federal whistleblower case involving alleged false claims by the entity about the security of electronic medical records containing the information of military personnel, diplomats and contractors.
The settlement is the first under the Department of Justice's Civil Cyber-Fraud Initiative, which was launched last year.
The civil settlement resolves two actions brought against Comprehensive Health Services, based in Cape Canaveral, Florida, under the whistleblower provisions of the False Claims Act involving CHS' government contracts to provide medical services at U.S. military facilities in Iraq and Afghanistan.
Besides allegations that CHS made false claims about the security of its electronic medical records, the legal actions included allegations that CHS misrepresented to the U.S. State Department and Air Force that certain controlled substances provided at military facilities in Iraq and had been approved by the Food and Drug Administration or European Medicines Agency.
"This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk," said Brian Boynton, principal deputy assistant attorney general and head of the Justice Department’s Civil Division, in a March 8 statement.
CHS did not immediately respond to Information Security Media Group's request for comment on the settlement. CHS is a subsidiary of government contractor Acuity.
The whistleblower case centers on contracts that CHS and several of its subsidiaries had with the U.S. Department of State and the U.S. Air Force to operate medical facilities at the U.S. embassies in Baghdad and Iraq, the U.S. consulate in Basrah and the air base at Balad, consistent with "U.S. standards."
The complaint alleges that CHS submitted claims and received payment despite the company allegedly failing to meet the standards, including failing to adequately secure medical records in EMR systems compliant with HIPAA requirements, failing to disclose known HIPAA breaches and knowingly importing nonapproved controlled substances medications into Iraq from South Africa.
“The defendants were required to maintain personal health information securely and provide only approved pharmaceuticals to patients," said Breon Peace, U.S. attorney for the Eastern District of New York, in the Justice Department's statement. "This settlement serves notice to federal contractors that they will be held accountable for conduct that puts private medical records and patient safety at risk."
Unsecured Records Alleged
U.S. prosecutors in court documents alleged that under its government contract with the U.S., CHS was required to provide a secure EMR system to store all patients' medical records, including the confidential identifying information of U.S. service members, diplomats, officials and contractors working and receiving medical care in Iraq.
Court documents allege that between 2012 and 2019, CHS submitted claims to the State Department for nearly $486,000 for reimbursement under its government contract, but failed to disclose that CHS had not complied with the EMR security related requirements of the contract.
The legal action also alleges that when CHS staff scanned medical records for the EMR, the staff saved and left scanned copies of some of the records on an internal network drive, which nonclinical staff could have accessed. "Even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR," court documents allege.
The legal action also alleged that the U.S. paid nearly $142,000 for claims CHS submitted that failed to disclose that the controlled substances provided had not been approved by the FDA or the European Medicines Agency, in violation of the contracts with the U.S.
Attorney Rachel Rose represented one of the whistleblowers, Michael Shawn Lawler, a dentist who worked at several military bases and diplomatic facilities under the U.S. State Department contract with his former employer CHS. Rose says the case is significant for several reasons.
One, she says, is that the legal action is believed to be the first False Claims whistleblower case in which the departments of State and Defense have alleged government procurement fraud, HIPAA, EMRs and cybersecurity are all involved.
"We appreciate Dr. Lawler's courage to raise awareness of such important issues in this case, which ranged from [CHS] allegedly failing to have appropriate technical, administrative and physical safeguards in place for medical records to the illicit procurement of controlled substances," Rose says.
Lawler's complaint alleges that CHS maintained medical records, including dental records, on an unsecured computer system for years, exposing sensitive protected health information of U.S. military personnel and others to access by unauthorized individuals, including Iraqi nationals employed at the facilities during a period when the U.S. was fighting Islamic State group terrorists in Iraq.
The settlement agreement is neither an admission of liability by CHS and its subsidiary nor a concession by the U.S. that its claims are not well founded, the Justice Department says in its statement.
Civil Cyber-Fraud Effort
The investigation and resolution of the CHS case is the first to fall under the Justice Department's Civil Cyber-Fraud Initiative, which was announced last October.
Under the effort, the Justice Department says it will pursue False Claims Act cases against government contractors that put U.S. information systems at risk by knowingly providing deficient cybersecurity products or services or failing to report cybersecurity incidents and breaches (see: U.S. DOJ to Fine Contractors for Failure to Report Incidents).
In a separate security incident involving CHS, the company in February reported to the Department of Health and Human Services a hacking incident affecting the PHI of nearly 107,000 individuals (see: 2 Vendor Hacking Incidents Affect Over 600,000 Individuals).
In a breach notification report, CHS says that on Sept. 30, 2020, it detected unusual activity within its digital environment following discovery of multiple fraudulent wire transfers.
Following review and analysis of the incident, CHS determined on Nov. 3, 2021, that personal information of "a limited number" of individuals employed by one of its customers may have been accessed or acquired by a malicious actor. Affected information includes names, dates of birth and Social Security numbers.