DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty
The U.S. Department of Justice (DOJ) has announced a settlement has been reached with the Cape Canaveral, FL-based healthcare services contractor, Comprehensive Health Services (CHS), to resolve alleged False Claims Act violations.
This is the first settlement to be reached under the DOJ Civil Cyber Fraud Initiative, which was launched in 2021. The Civil Cyber Fraud Initiative was launched to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents.
CHS and its subsidiaries had contracts with the U.S. Department of State and the U.S. Air Force to operate medical services at U.S. military facilities in Afghanistan and Iraq. Two actions were filed under the whistleblower provisions of the False Claims Act that alleged CHS received payment for operating those medical facilities but failed to operate them in a manner consistent with U.S. standards.
CHS was alleged to have failed to maintain appropriate staffing levels, allowed unqualified individuals to perform surgery, pharmacy, and radiology services, and claimed that some of the controlled substances provided to patients at the medical facilities had been approved by the U.S. Food and Drug Administration or European Medicines Agency, when those substances had been imported from South Africa and had not been approved. CHS was accused of bidding on the contracts to run the medical facilities when it was aware that it was unable to meet its obligations to do so.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
Between 2012 and 2019, CHS submitted claims for reimbursement of $486,000 under its contract but did not disclose that it had failed to consistently store medical records in a secure, HIPAA-compliant electronic medical record (EMR) system. CHS staff scanned medical records for the EMR system but saved scanned copies of some of the records on an internal network drive, which could be accessed by non-clinical staff, including Iraqi nationals employed at the site. Some staff members expressed concern about the insecure storage of private medical information, but CHS took no action to address the issue and failed to ensure medical records were only stored in the EMR system. CHS was also alleged to have been made aware of several HIPAA breaches but failed to disclose them.
CHS agreed to settle the case with no admission of liability and agreed to pay a financial penalty of $930,000 to resolve the alleged False Claims Act violations.
“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”