A federal contractor faced a double cybersecurity breach when personal data from Medicare beneficiaries stored in unencrypted screenshots was allegedly compromised after a third-party vendor’s server was hacked. ASRC Federal Data Solutions (AFDS), based in Virginia, agreed to pay nearly $307,000 to the Department of Justice (DOJ) to settle a False Claims Act (FCA) violation related to the breach, the DOJ announced in a press release on Wednesday. In addition to the settlement, AFDS agreed to waive over $877,000 in costs it incurred while notifying beneficiaries and providing credit monitoring services.
According to the DOJ, AFDS violated the cybersecurity requirements of its contract with the Centers for Medicare and Medicaid Services (CMS) by storing sensitive screenshots on the third-party vendor’s server. The DOJ alleged that AFDS "knowingly billed CMS in violation of these requirements."
Although AFDS settled the case, it did not admit liability. The company did not respond to requests for comment.
From March 2021 to October 2022, a subcontractor for AFDS stored screenshots from CMS systems that contained personally identifiable information (PII) and potentially personal health information. However, the screenshots were not individually encrypted to protect the data from exposure in the event of a breach. In October 2022, the subcontractor’s server was breached by a hacker, leading to the compromise of this sensitive data, the DOJ stated.
Federal contractors who handle data containing PII, especially medical information, must recognize that they are responsible for the security of that data, even when it is shared with third parties. In the event of a breach involving PII, the government will hold the contracted party accountable, not the third party.
This case underscores the importance for government contractors to protect personal data throughout the value chain and regularly monitor and audit third-party performance to ensure compliance with contractual obligations.
In October 2021, the DOJ introduced its Civil Cyber Fraud Initiative, prioritizing the use of the False Claims Act to target cybersecurity-related fraud by government contractors and grant recipients. Since the initiative’s launch, several contractors have faced fines and lawsuits for failing to meet required cybersecurity standards, with deficiencies often coming to light following breaches.
In August, the DOJ joined a whistleblower lawsuit against Georgia Tech, filed by two compliance officers, alleging that the university and an affiliated research group failed to uphold cybersecurity standards in a Department of Defense contract.
In June, the DOJ imposed fines of $11.3 million on Guidehouse and Nan McKay and Associates to settle claims that cybersecurity failures during the rollout of pandemic-related federal aid led to PII being compromised.
Similarly, in May, Insight Global agreed to pay $2.7 million to settle allegations that it violated the FCA by failing to maintain adequate cybersecurity protections for Covid-19 contact tracing data.
AFDS notified CMS immediately after the October 2022 breach and worked closely with the agency to address the impact. The company also cooperated with the DOJ’s investigation and took remedial actions, which the DOJ acknowledged, though it did not clarify how AFDS's efforts may have reduced the penalty.
“We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation, and remediation,” said Brian Boynton, head of the DOJ’s Civil Division, in the press release.
By fLEXI tEAM
Comments