On October 6, 2021 Deputy Attorney General (AG) Lisa Monaco announced the Civil-Cyber Fraud Initiative (CCFI), indicating the Department of Justice (DOJ) will pursue companies, in particular government contractors who receive federal funds, for failing to follow required cybersecurity standards.
This initiative is designed to expand the DOJ’s efforts to combat and minimize cyber threats to federal systems and is being led by the Civil Division’s Commercial Litigation Branch. AG Monaco is quoted as saying, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.”
The CCFI will be utilizing the False Claims Act (FCA) to investigate and pursue cybersecurity-related fraud by government contractors and grant recipients. This is separate from how the Health and Human Services (HHS) Office for Civil Rights (OCR) reviews and conducts HIPAA-related incidents. What differentiates the FCA from OCR investigations is that FCA possesses unique whistleblower provisions. Individuals can present cybersecurity noncompliant practices with the HIPAA Security rules to OCR and now the DOJ. If the DOJ finds noncompliance or fraud relevant to the whistleblower complaint, the whistleblower will share any penalty and fine recoveries all while being protected from retaliation. The DOJ will no longer tolerate entities or individuals putting U.S. information or systems at risk by:
- Knowingly providing deficient cybersecurity products or services.
- Knowingly misrepresenting their cyber security practices or protocols.
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
What are the Key Takeaways or Next Steps?
It is obvious OCR will continue to conduct HIPAA violations but will now be collaborating more closely with the DOJ when it is determined a government contractor or grant recipient has knowingly been non-compliant with cyber security practices. If the DOJ is involved, the entity may face civil enforcement actions and the FCA can impart treble (triple) damages per incident under typical FCA penalties.
What Should an Entity Do?
- Assess if your organization is considered a governmental contractor or may have received federal grant dollars. Many entities during the declared Public Health Emergency have received various recovery funding in the form of loans and grants. Be sure you know your position, as your non-compliance with cybersecurity practices may not carry FCA implications in conjunction with OCR HIPAA penalties.
- Ensure your organization has conducted a HIPAA Security Risk Analysis (SRA), which is a HIPAA Security Requirement within the Security management Process CFR 164.308(a)(1) and one element overlooked by many due to limited funds. Keep in mind, knowingly not conducting a SRA could result in FCA violations in conjunction with OCR HIPAA penalties.
Not sure where to start with conducting a SRA, contact LW Consulting, Inc.’s (LWCI) HIPAA Security consultants. Keep in mind, grant funding may be available to assist with conducting a SRA and identifying IT Infrastructure needs for your organizations. LWCI offers our HIPAA SP3: Security Policies and Procedures Package on our LWCI Learning Center or we can set up a time to discuss your needs.
To learn more about how LWCI can help you, set up a 15-minute discussion with one of our experts, Deborah Alexander, Director, CHC, CHPC, PMP, DPT, MED, STC, CSCS.