Towards the end of 2021, the Department of Justice unveiled its plans to use the False Claims act to enforce federal contractual cyber-security requirements. In early March, they announced "the first resolution of a False Claims Act case involving cyber fraud since the launch of the department's Civil Cyber-Fraud Initiative", according to an announcement posted on the agency's website.
According to the press release, Comprehensive Health Services LLC, based out of Cape Canaveral Florida, "has agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan."
Comprehensive Health Services (CHS) provides medical support to US-run facilities in Iraq and Afghanistan.
It was discovered that the company had "failed to disclose to the State Department that is had not consistently stored patients' medical records on a secure EMR (electronic medical record) system," between 2012 and 2019. This was discovered after CHS submitted a claim to the State Department for the system itself.
“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards," said State Department Principal Deputy Assistant Attorney General Brian M. Boynton, "particularly when they put confidential medical records at risk."
As the National Law Review noted in their coverage of the case, the DOJ seems to be casting a broad net as to what constitutes fraud, which is expected to come in the form of Defense Federal Acquisition Regulation Supplement (DFARS) or Federal Acquisition Regulation (FAR) violations.