We previously offered insight into two False Claims Act (“FCA”) enforcement actions brought by the U.S. Department of Justice (“DOJ”) as part of its “Civil Cyber-Fraud Initiative” (“CCF Initiative”). Deputy Attorney General Lisa O. Monaco announced the CCF Initiative in October 2021, stating that “[t]he initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” We noted that DOJ “was not bluffing,” and that in addition to the two highlighted cases, “more are expected.” The prediction has come true.
DOJ recently announced a settlement with Jelly Bean Communications Design LLC and its sole employee, manager, and 50% owner (collectively, “Jelly Bean”), whereby Jelly Bean agreed to pay nearly $300,000 to resolve cybersecurity-related FCA claims. Of that amount, $130,565 constituted restitution, and thus, the company paid a significant multiplier penalty as well (the FCA allows for treble damages plus substantial additional civil penalties for each false claim; impacted agencies have exclusion authority as well). DOJ alleged that Jelly Bean created, hosted, and maintained a website for the Florida Health Kids Corporation (“FHKC”), a state-created and federally funded entity that offers health and dental insurance for Florida children ages 5 through 18. The website provided parents an online option to apply for state Medicaid insurance coverage for their children, and in addition to creating and maintaining the website, Jelly Bean’s role allegedly included collecting the submitted data and relaying it to FHKC’s third-party administrator for processing. DOJ alleged that Jelly Bean’s bills to FHKC for services rendered included a line item for “HIPAA-compliant hosting,” and that inconsistent with representations made in the agreements and invoices, Jelly Bean failed to properly maintain, patch, and update the software systems underlying the website, leaving it and the data Jelly Bean collected and relayed vulnerable to attack. Indeed, in December 2020, third parties “hacked” the website, altered data, and compromised half a million applications, resulting in a shutdown of the website. Information potentially exposed by the website’s vulnerabilities included a host of personal information, including email addresses and telephone numbers, social security numbers, financial and wage information, family relationships, and secondary insurance information.
In announcing the settlement, which was handled out of the U.S. Attorney’s Office for the Middle District of Florida in conjunction with the Fraud Section of DOJ’s Commercial Litigation Branch, DOJ reiterated the CCF Initiative’s objectives, stating “[w]e will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” HHS-OIG added that it “will continue to work … to ensure that enrollees can rely on their health care providers to safeguard their personal information.”
This is now the third known FCA enforcement settlement as part of the CCF Initiative, and these cases highlight the increased FCA risk that cybersecurity compliance poses for U.S. government contractors and subcontractors. Now is the time, if not already, for contractors and subcontractors to engage with counsel to understand their cybersecurity obligations on existing and future U.S. government contracts and subcontracts, train employees, implement information security controls such as access and network restrictions, invest in and ensure regular compliance with upgrades, patches, and maintenance, devise incident response plans and ransom strategies, and operationalize internal whistleblowing. As previously stated, “more are expected.”