A Recent Settlement, and DOJ Intervention in an Ongoing Case, Highlight Cybersecurity as a False Claims Act Enforcement Priority

The U.S. Department of Justice’s (DOJ) increasingly-active Civil Cyber Fraud Initiative has made compliance with cybersecurity requirements a False Claims Act (FCA) enforcement priority—meaning that grant administrators and compliance staff must understand the need to keep organizational systems secure or risk significant legal exposure.

DOJ launched its Civil Cyber-Fraud Initiative in October 2021 to hold government contractors and other recipients of government funding accountable for violating cybersecurity requirements and placing government data and security systems at risk. In recent years, DOJ has underscored the Initiative’s importance, while projecting that enforcement efforts would ramp up in 2024 and into the future as an emerging priority area. The Initiative specifically focuses its enforcement efforts on entities that:

• knowingly provide deficient cybersecurity products or services;
• knowingly misrepresent cybersecurity practices or protocols; or
• knowingly violate obligations to monitor and report cybersecurity incidents and breaches.

The DOJ’s prediction of enhanced cybersecurity enforcement is evidenced by two recent examples of DOJ activity within the cybersecurity FCA universe. As these two matters demonstrate, we expect cybersecurity to remain a growing area of the DOJ’s FCA enforcement and litigation efforts.

Staffing Company to Pay $2.7 Million for Failing to Provide Adequate Cybersecurity for COVID-19 Tracing Data

On May 1, 2024, the DOJ announced that Insight Global LLC (“Insight”), an international staffing and services company, agreed to pay $2.7 million to settle a whistleblower’s allegations that it failed to establish adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII), in violation of the FCA.

During the COVID-19 pandemic, the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid for Insight’s services using federal funds from the United States Centers for Disease Control and Prevention (CDC). The contract required Insight to (i) ensure that PHI related to the services would be kept confidential and secure; (ii) use secure devices in performance of the contract; and (iii) follow federal PHI safeguarding regulations.

The DOJ alleged Insight violated these requirements because Insight-hired staff stored and transmitted PHI and/or PII using methods that violated the contract. Specifically, staff members allegedly:

• Shared passwords to access PHI and PII;
• Used Google documents as a method of storing and transmitting PHI and PII; and
• Received PHI and PII information in unencrypted emails.

Insight’s former business intelligence reporting manager filed the case against Insight in July 2021 as a qui tam FCA action in Pennsylvania federal court. Following its investigation, the DOJ intervened in the relator’s case in April 2024 for the purpose of filing the settlement agreement. Of the $2.7 settlement total, the relator will receive nearly $500,000 as a share award and $86,200 for expenses and fees.

The settlement serves as a critical reminder for contractors and grantees that federal rules and obligations attach to federal funds, even where those funds are first passed through state governments.  Even when a state-level contract or grant agreement is implicated, those rules include federal cybersecurity obligations that can put an entity in the DOJ’s crosshairs.

Georgia Tech Case Marks DOJ’s First Intervention in Cybersecurity FCA Qui Tam Litigation

In February 2024, the DOJ intervened in its first cybersecurity-related FCA case since unveiling the Civil Cyber-Fraud Initiative.  The ongoing case was filed by two whistleblowers in July 2022 against the Georgia Tech Research Corporation. The whistleblowers allege that the university failed to adhere to proper standards in processing and storing controlled unclassified information related to various U.S. Department of Defense (DoD) contracts.  See United States ex rel. Craig v. Georgia Tech Research Corporation, No. 1:22-cv-02698 (N.D. Ga.).

Under the provisions of the Defense Federal Acquisition Regulation (DFARS) 252.204-7012, contractors that process and store controlled unclassified information must rely on information systems that comply with National Institute of Standards and Technology Special Publication (NIST SP) 800-171. Because Georgia Tech (like many universities) has multiple DoD contracts, Georgia Tech’s contracts must follow the NIST compliance standards.

The whistleblowers, who were Georgia Tech’s associate director of cybersecurity and a former information security graduate student, alleged they found one computer system within a certain university lab lacked certain software requirements that should have been implemented under NIST SP 800-171.

The whistleblowers asserted that when they took their complaints to Georgia Tech administrators, in an effort to resolve the issue, the administrators failed to take any action to rectify their concerns. In addition to alleging that Georgia Tech submitted false claims for government payment, the complaint also alleges Georgia Tech retaliated against its employees for attempting to stop the unlawful actions, violating multiple provisions of the False Claims Act.

Because it has intervened in the case, the DOJ now has until late June to file its own complaint.

Next Steps for Mitigating Cybersecurity Risk

Taken together, the Insight settlement and Georgia Tech intervention underscore the active nature of the DOJ’s Civil Cyber-Fraud Initiative. As additional standards for storing, processing, and handling sensitive—or even classified—data are implemented, grantees and contractors should remain vigilant about understanding, and following, all cybersecurity requirements.

When the DOJ files its complaint in intervention in the Georgia Tech case, that pleading will shed additional light on the government’s increasingly stringent approach to cybersecurity enforcement. In the meantime, it remains clear that DoD contractors and all sorts of federal grantees are facing a growing potential for FCA risk pertaining to their protection of sensitive data. Compliance professionals should ensure appropriate investment in hardware, software, and professional expertise and oversight to keep pace with the scale and sophistication of federal funding requirements.

If you have any questions regarding False Claims Act investigations or litigation, please contact Enforcement Insider Editors Rosie Dawn Griffin (rgriffin@feldesman.com) and Mindy B. Pava (mpava@feldesman.com) or call 202.466.8960. Be sure to also check out our Enforcement Insider blog to stay up to date on the latest enforcement actions and court decisions of interest to federal grantees and other recipients of federal funding.