Earlier this month, the US Department of Justice (DOJ) announced that Verizon Business Network Services agreed to pay $4,091,317, plus interest, to resolve False Claims Act (FCA) allegations. These allegations held that the company’s Managed Trusted Internet Protocol Service (MTIPS) provided from 2017 to 2021 to federal agencies did not meet three cybersecurity controls for trusted internet connections required for General Services Administration (GSA) contracts.
Verizon undertook an internal investigation that discovered the issues surrounding its compliance with the requirements, voluntarily disclosed the problems to the GSA, and cooperated with the government’s investigation. The company then took steps to remediate the issues.
Verizon received credit or reduced payment under DOJ guidelines for False Claims Act cases for its voluntary disclosures and subsequent remediation measures. Although neither DOJ nor Verizon disclosed how much of a credit the company received, one estimate pegs it at $1.3 million.
Verizon’s settlement is the latest False Claims Act action by the DOJ since the October 2021 creation within the department of its Civil Cyber-Fraud Initiative. In announcing the initiative, Deputy Attorney General Lisa Monaco said, “We will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
Legal and cybersecurity experts say the Verizon settlement and earlier FCA claims brought under the cyber initiative underscore the need for organizations to step up their cyber compliance game to ward off whistleblower reports, which the FCA protects, and mitigate financial penalties. (DOJ encourages whistleblowers to report cyber fraud to the Inspector General’s Office.) Moreover, the rate at which Justice is bringing action appears to be accelerating, suggesting that even more FCA-related actions could soon emerge.
Previous cyber-related FCA claims
Verizon’s recent settlement represents the third False Claims action under the new DOJ effort. DOJ announced its first settlement under the Civil Cyber-Fraud Initiative in March 2022 with Florida-based healthcare provider Comprehensive Health Services LLC (CHS). CHS agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by misrepresenting to the State Department and the Air Force that it complied with security contract requirements relating to providing medical services at the State Department and Air Force facilities in Iraq and Afghanistan.
The government alleged that CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure electronic medical record (EMR) system, with CHS staff saving and leaving scanned copies of some records on an internal network drive that was accessible to non-clinical staff. DOJ said that even after staff raised concerns about the privacy of protected medical information, CHS did not take adequate steps to store the information exclusively on the EMR system.
A year later, in March 2023, the DOJ announced its second cyber-related case by the Civil Cyber-Fraud Initiative against Jelly Bean Communications Design LLC and company manager and co-owner Jeremy Spinks, who agreed to pay $293,771. The settlement resolved False Claims Act allegations Jelly Beans and Spinks failed to secure personal information on a federally funded Florida children’s health insurance website run by the Medicaid-funded Florida Healthy Kids Corporation (FHKC), which Jelly Bean created, hosted, and maintained.
Under FHKC’s agreement with Jelly Bean, the contractor agreed to provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996, and Jelly Bean agreed to adapt, modify, and create the necessary code on the webserver to support the secure communication of data.
DOJ alleged that from January 1, 2014, through December 14, 2020, Jelly Bean did not provide secure hosting of applicants’ personal information and instead knowingly failed to properly maintain, patch, and update the software systems underlying HealthyKids.org and its related websites, leaving the site and the data Jelly Bean collected from applicants vulnerable to attack.
In early December 2020, more than 500,000 applications submitted on HealthyKids.org were revealed to have been hacked, potentially exposing the applicants’ personal identifying information and other data. Due to the data breach and Jelly Bean’s cybersecurity failures, FHKC shut down the website’s application portal in December 2020.
Other FCA cyber-related lawsuits
There are at least two other cyber-related False Claims actions that the DOJ has not laid claim to under its cyber initiative banner. In March 2022, the department said California-based military and government contractor Aerojet Rocketdyne violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.
On October 4, 2022, a lawsuit against Penn State University under the False Claims Act alleged the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government. The suit was brought on behalf of Matthew Decker, CIO at a Penn State research laboratory who served briefly as interim vice provost and CIO for the university in 2016. Decker is a “relator” in the suit, an individual who files an FCA lawsuit on behalf of the government and is entitled to a share of the government’s recovery in a successful case.
Greater pace suggests more False Claims actions coming
Given the timing of the Verizon settlement, coming five months after the Jelly Bean settlement, the rate at which the Justice Department is tackling cyber-related FCA cases appears to be accelerating. The interval between the Jelly Bean and CHS settlements was a year.
“I can say in my practice, we are seeing an increase in these types of investigations,” Tirzah Lollar, co-chair of the False Claims Act practice at Arnold and Porter, tells CSO. “Since the initiative was announced in 2021, we have been expecting an uptick in these types of investigations and resolutions. I think we’re just now beginning to see that potential uptick beginning.”
Moreover, the Relators Bar, which focuses on representing whistleblowers who bring action on behalf of the government, is seeking new clients. “The Relators Bar is also looking for clients to bring these cases. So, it is a significant area of potential false claims at risk,” Lollar says.
The DOJ’s focus on the kinds of organizations it prioritizes also appears to be expanding. Lollar notes that the Verizon settlement was the first non-healthcare action brought by the department’s cyber unit. She predicts that defense contractors will likely be the next focus of DOJ’s FCA actions.
Take stock of cybersecurity compliance and contract requirements
In the face of what appears to be mounting interest in FCA cyber-related actions, federal government contractors should scrutinize their cybersecurity requirements and contract provisions. “If they’re doing business with the federal government, they need to really pay attention to what their cybersecurity compliance obligations are,” Lollar says. “Because it’s no longer just about a potential breach of contract. Now there’s a potential fraud case.”
Other legal experts note that “contractors should review for vulnerabilities and assess risk on an ongoing basis, and fully document their efforts” to prevent future settlements or litigation. Complying with frameworks like the Cybersecurity Maturity Model Certification (CMMC) framework could also help protect organizations from FCA entanglement.
Matt Coose, founder and CEO of compliance automation company Qmulos, said in a statement that compliance readiness and confidence could serve as “mitigating factors against severe penalties and unwanted outcomes, such as having the DOJ perched on your shoulder running your security and compliance program for you after a breach or whistleblower disclosure.”