CHS will pay $930,000 to settle false claims allegations that it lied to the State Department and the Air Force about the care it provided to service members.
Comprehensive Health Services (CHS) will pay $930,000 to settle allegations that it failed to comply with regulations regarding the use of its EMR system and lied about controlled substances it administered to patients at State Department and Air Force in Iraq and Afghanistan.
In a lawsuit, the State Department said the company did not consistently store the medical records of patients it cared for in Iraq on a secure EMR system. Along with the Air Force, it also accused CHS in a separate suit of lying that certain substances it distributed were approved by the FDA and the European Medicines Agency (EMA). They say that these actions violate the False Claims Act.
The settlement is the first resolution of a False Claims Act case involving cyberfraud since the Department of Justice launched its Civil Cyber-Fraud Initiative in October. The initiative uses the False Claims Act to pursue and hold accountable entities that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches.
The cases are United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (E.D.N.Y.), and United States ex rel. Watkins et al. v. CHS Middle East, LLC, Case No. 17-cv-4319 (E.D.N.Y.).
“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s civil division, in a statement. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”
According to the first suit, CHS submitted claims to the state department between 2012 and 2019 for the cost of a secure EMR system to store confidential identifying data and all other information of U.S. service members, diplomats, officials and contractors in Iraq. But when staff scanned medical records for the system, they saved and left copies of some scanned records on an internal network drive that nonclinical staff were able to access. And even when the risk was reported, CHS did not take appropriate steps to fix the problem and ensure information was stored exclusively on the EMR, said the state department.
