DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data

Posted on October 16, 2024 by Dissent

Here’s today’s reminder that it’s not just HHS OCR that entities need to be concerned about in terms of enforcement of data security requirements for health data.

ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, has agreed to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries. Under the resolution, AFDS will pay $306,722. It will also waive any rights to reimbursement for remediating a data breach involving the information, including at least $877,578 in costs it incurred notifying beneficiaries and providing credit monitoring. AFDS promptly notified the Centers for Medicare and Medicaid Services (CMS) of the data breach, worked with CMS to address the impact of the breach, cooperated with the Justice Department’s investigation and took other remedial measures.

“Government contractors that handle personal information must take required steps to safeguard that information from cyberattacks,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation and remediation.”

AFDS provided certain Medicare support services under a contract with CMS. The settlement resolves allegations that from March 10, 2021, through Oct. 8, 2022, AFDS and a subcontractor stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractor’s server without individually encrypting the files to protect them against exposure in the event of a breach. The subcontractor’s server employed disk-level encryption that protected files from unauthorized access but not from access using authorized credentials. The subcontractor’s server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach.

The United States alleged that the storing of screenshots on the subcontractor’s server violated AFDS’ contractual cybersecurity requirements, and that AFDS knowingly billed CMS in violation of these requirements.

“Safeguarding patients’ sensitive personal information is of paramount importance,” said Special Agent in Charge Stephen Niemczak of the Department of Health and Human Services Office of the Inspector General (HHS-OIG). “This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the health care data of all Americans and to investigate allegations of fraud, waste and abuse against the public and taxpayer-funded health care programs.”

On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.

The resolution obtained in this matter was the result of a coordinated effort between the Civil Division’s Commercial Litigation Branch, Fraud Section, and HHS-OIG.

Senior Trial Counsel Jonathan H. Gold of the Civil Division’s Fraud Section handled the matter.

The claims resolved by the settlement are allegations only. There has been no determination of liability.

Settlement

Updated October 15, 2024

Source: U.S. Department of Justice

Category: Health DataOf NoteSubcontractorU.S.

Post navigation

← Boston Children’s Health Physicians notifies employees and patients of September cyberattack
Army to defend small businesses against hackers with NCODE secure cloud enclave pilot →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.