Insights

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities:  the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud.  This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services.  Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. 

On October 7, 2021, the Department of Justice (DOJ) announced its new Civil Cyber-Fraud Initiative, focused on civil enforcement against government contractors that fail to follow cybersecurity contract requirements.  The Initiative, led by the Civil Division’s Commercial Litigation Branch and Fraud Section, will utilize the False Claims Act to combat cyber threats to sensitive information and critical systems by enforcing the government’s contractual cybersecurity standards.  The Initiative will hold accountable contractors that knowingly: 1) provide deficient cybersecurity products or services; 2) misrepresent cybersecurity compliance; or 3) fail to monitor and report cybersecurity incidents in accordance with contract requirements. 

Click below to listen or access from one of these links: PodBean | SoundCloud | Apple Podcasts