Impact of Cybersecurity Related False Claims Act Lawsuits on Government Contractors

In October 2021, the US Department of Justice reported that it would “use its authorities under the False Claims Act (FCA) to fine government contractors that ‘fail to follow required cybersecurity standards.’”

DOJ announces first civil cyber-fraud settlement

In March 2022, the first civil cyber-fraud settlement was announced with Comprehensive Health Services LLC (CHS). CHS provides medical support services at government facilities in Iraq and Afghanistan and submitted claims for the cost ($500K) of a secure electronic medical record (EMR) system to store patients’ medical records. DOJ alleged that CHS violated the False Claims Act by falsely representing it complied with contract requirements. Specifically, the company failed to disclose that it had not consistently stored medical records between 2012 and 2019 in the EMR. As a result, CHS agreed to pay $930K to settle allegations and resolve 2 actions brought under the whistleblower provisions.

Contractor settles cybersecurity-related False Claims Act suit for $9M

In April 2022, the DOJ resolved a first-of-its-kind False Claims Act case premised on cybersecurity noncompliance. The whistleblower lawsuit brought by the former Senior Director of Cybersecurity alleged that Aerojet Rocketdyne Holdings, Inc. (Aerojet) lied about its compliance with relevant cybersecurity requirements to obtain contracts with DOD and NSA from 2013 to 2015. The lawsuit sought damages of $19+ billion – three times the sum of every invoice paid under the fraudulently obtained contracts.

Aerojet requested a summary judgment motion to dismiss the case and the DOJ filed a Statement of Interest to respond to the legal issues related to the FCA. The US District Court rejected Aerojet’s arguments that the contracts’ cybersecurity control provisions were not material, and that the government did not suffer any damages because it had delivered functional rocket engines. Aerojet agreed to pay $9M to settle allegations less than 24 hours before jury trial began.

Impact on government contractors’ cybersecurity compliance stance

Although the government’s cybersecurity standards continue to evolve, the Aerojet and CHS settlements should serve as a wake-up call for government contractors to immediately take their cybersecurity obligations seriously.

While CMMC 2.0 may be a new requirement that hasn’t taken effect yet (expected March 2023), there are existing requirements for government contractors to practice minimum cybersecurity standards in the FAR/DFARS. CMMC is the latest attempt by the government to codify those standards and expectations into a compliance framework that can be consistently measured and tracked.

What should government contractors do now?

If you are unsure about the state of your cybersecurity program and/or whether you are compliant with contract expectations:

• Obtain a cyber hygiene check (external gap assessment) from a reputable firm.

If you have conducted an assessment and identified your gaps:

• Accelerate the work required to address the gaps and become more secure/compliant.

How can Aprio help?

Aprio provides advisory and remediation support services to government contractors. We can manage your cybersecurity program and/or assist with addressing gaps by implementing and enhancing required security controls.

Aprio is a Registered Practitioner Organization (RPO) with the CyberAB. We are familiar with the constructs of the CMMC and NIST 800-171 standards; have multiple trained Registered Practitioners on staff; and agree to abide by the CyberAB code of professional conduct.

Schedule a consultation with our team today.