Home / News & Insights / Whistleblower Law Insights / DOJ Ramps Up Cybersecurity-Related False Claims Act Enforcement Efforts

DOJ Ramps Up Cybersecurity-Related False Claims Act Enforcement Efforts

Department of Justice sign, Washington DC, USA. Many law enforcement agencies are administered by the DOJ, including the FBI, DEA and Federal Bureau of Prisons

Last week, the U.S. Department of Justice (DOJ) announced Insight Global LLC agreed to pay $2.7 million to resolve allegations that the company violated the federal False Claims Act (FCA) for failing to keep personal health information confidential and secure.  This is just one of the FCA settlements for cybersecurity violations that has occurred since DOJ announced its Civil Cyber-Fraud Initiative to use the FCA to pursue government contractors and grant recipients who fail to live up to their cybersecurity responsibilities.

The Insight Global case, initiated by a whistleblower under the FCA’s qui tam provisions, involved the Pennsylvania Department of Health’s contract with the company to provide staffing for COVID-19 contact tracing, paid for with federal funds from the Centers for Disease Control and Prevention. In the settlement agreement, the United States contended that despite Insight Global’s representations that it would keep patients’ personal health information safe and secure, it allowed such information to be transmitted in the body of unencrypted emails and allowed some files to be stored and transmitted using Google files that were not password protected, among other failures to provide adequate cybersecurity.

This settlement comes a few weeks after the DOJ announced its intention to intervene in a False Claims Act whistleblower case against Georgia Tech Research Corporation (GTRC) and Georgia Institute of Technology (GA Tech), collectively known as Georgia Tech, for alleged failure to provide “adequate security” for Department of Defense (DOD) information that is processed, stored, or transmitted on Georgia Tech’s internal information systems. The case, United States ex rel. Craig v. Georgia Tech Research Corporation, was initially filed under seal in July 2022 in the Northern District of Georgia.  The whistleblowers who brought the case are the Associate Director of Cybersecurity at Georgia Tech and a former information security engineer who also worked for the university’s Information Security Department.

The lawsuit alleges that Georgia Tech has many contracts with DOD that require it to comply with certain cybersecurity requirements for how it handles DOD information. The Defense Federal Acquisition Regulations (DFARS) require DOD contractors that use controlled unclassified information to use information systems that comply with the National Institute of Standards and Technology Special Publication (NIST SP).  Among other requirements, federal contractors must have security measures to safeguard any DOD information that is stored internally.  The whistleblowers allege that Georgia Tech had numerous compliance failures in how it handled controlled unclassified information, including a lack of training for the people responsible for handling the NIST SP standards and failing to have personnel qualified to assess whether the practices were compliant.

DOJ has until late June to file its complaint in intervention. This appears to be the first time that DOJ has intervened in a FCA case alleging violations of cybersecurity standards since DOJ announced its Cyber-Fraud Initiative in October 2021.

Whistleblowers can play an important role in alerting the government to violations of cybersecurity requirements by federal contractors and grant recipients. The FCA allows whistleblowers to file lawsuits on behalf of the government and if a lawsuit leads to a recovery for the government, the whistleblower is entitled to a reward between 15 and 30 percent of the funds collected.

Let us help you.
Get a free, confidential case review