A government contractor has reached a settlement over False Claims Act allegations related to cybersecurity breaches. ASRC Federal Data Solutions LLC (AFDS) allegedly failed to secure Medicare beneficiary data against a data breach. This case shines a spotlight on the importance of vigilant oversight and accountability in maintaining cybersecurity standards for government contractors. While there was no whistleblower, an insider who reports knowing failures to comply with cybersecurity requirements in government contracts can be rewarded 15-25% of the government’s recovery in a False Claims Act settlement.
Summary of the Case
AFDS, based in Reston, Virginia, found itself at the center of controversy for its handling of sensitive information. The allegations pertain to AFDS’s contract with the Centers for Medicare and Medicaid Services (CMS), where it was responsible for providing Medicare support services. Between March 10, 2021, and October 8, 2022, AFDS and its subcontractor allegedly stored screenshots containing personally identifiable information and potentially personal health information of Medicare beneficiaries on an inadequately secured server. When the server was breached in October 2022, these unencrypted screenshots were compromised, highlighting a significant lapse in adhering to contractual cybersecurity requirements. Billing CMS for work performed on this contract, while not adhering to cybersecurity requirements, constituted the submission of false claims to the government.
In response to these allegations, AFDS has agreed to pay a settlement of $306,722. Additionally, the company will forgo reimbursement for costs incurred from remedial actions, such as notifying beneficiaries and providing credit monitoring, amounting to $877,578. To its credit, the government contractor notified CMS of the breach and cooperated with the subsequent investigation.
The Role of Cyberfraud Whistleblowers
Following the announcement of the Civil Cyber-Fraud Initiative by Deputy Attorney General Lisa Monaco on October 6, 2021, there has been a pronounced emphasis on holding entities accountable for cybersecurity negligence. This initiative seeks to address scenarios where organizations knowingly provide subpar cybersecurity products or services or misrepresent their cybersecurity protocols to the federal government.
Whistleblowers play a pivotal role in this framework by exposing deficiencies and ensuring that entities maintain their cybersecurity obligations. This case highlights the essential role that good cybersecurity practices play in protecting sensitive information. In an era where data breaches can have severe consequences for individuals and organizations alike, maintaining robust cybersecurity measures is non-negotiable. Additionally, this settlement underscores the importance of the False Claims Act as a tool for enforcing cybersecurity compliance among government contractors and ensuring the government pays for services that are rendered in line with contract provisions. As the landscape of digital threats continues to evolve, the contributions of whistleblowers remain invaluable in ensuring that organizations are held to the highest standards of cybersecurity.