Comprehensive Health Services (CHS) will pay $930,000 to settle allegations that it failed to comply with regulations regarding the use of its EMR system and lied about controlled substances it administered to patients at State Department and Air Force in Iraq and Afghanistan.
In a lawsuit, the State Department said the company did not consistently store the medical records of patients it cared for in Iraq on a secure EMR system. Along with the Air Force, it also accused CHS in a separate suit of lying that certain substances it distributed were approved by the FDA and the European Medicines Agency (EMA). They say that these actions violate the False Claims Act.
The settlement is the first resolution of a False Claims Act case involving cyberfraud since the Department of Justice launched its Civil Cyber-Fraud Initiative in October. The initiative uses the False Claims Act to pursue and hold accountable entities that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches.
The cases are United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (E.D.N.Y.), and United States ex rel. Watkins et al. v. CHS Middle East, LLC, Case No. 17-cv-4319 (E.D.N.Y.).
“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s civil division, in a statement. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”
According to the first suit, CHS submitted claims to the state department between 2012 and 2019 for the cost of a secure EMR system to store confidential identifying data and all other information of U.S. service members, diplomats, officials and contractors in Iraq. But when staff scanned medical records for the system, they saved and left copies of some scanned records on an internal network drive that nonclinical staff were able to access. And even when the risk was reported, CHS did not take appropriate steps to fix the problem and ensure information was stored exclusively on the EMR, said the state department.
In the same timespan, the company also lied about controlled substances it supplied when it said that they were approved by the FDA and EMA and manufactured in accordance with quality standards, according to the second suit. The State Department and Air Force said that CHS lacked a Drug Enforcement Agency license for exporting the controlled substances and had its physicians in Florida send letters to a South African physician to prescribe the drugs. A South African shipping company would receive controlled substances that were not approved by the FDA or EMA and send them to CHS for distribution to patients.
The suits were brought under the qui tam or whistleblower provision of the False Claims Act, which allows a private party to sue on behalf of the U.S. government and receive a portion of the settlement if the government takes over the case and reaches an agreement with the defendant. The whistleblowers were unnamed and the portion of the proceeds they received in each case is unknown.
“The Department of the Air Force Office of Special Investigations (OSI) is undeterred in its approach to hunting down fraud within our Foreign Military Sales programs and ensuring the offenders are held accountable,” said special agent in charge Nicholas J. Groesbeck of OSI Procurement Fraud Detachment 4, Wright-Patterson AFB, OH. “We applaud the complainant for coming forward, which allowed our joint partners to protect the government's procurement process and carry out the warfighting mission.”
The settlement follows CHS’ recent disclosure of a cyber breach that compromised as many as 94,449 individuals
, according to legal news site JD Supra. The company discovered fraudulent wire transfer requests in September 2020 and confirmed in November 2021 that the names and social security numbers of certain individuals employed by some of its customers were accessed or stolen by an unauthorized third-party. It began notifying those impacted in February.