DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data

Posted on October 16, 2024 by Dissent

Here’s today’s reminder that it’s not just HHS OCR that entities need to be concerned about in terms of enforcement of data security requirements for health data.

ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, has agreed to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries. Under the resolution, AFDS will pay $306,722. It will also waive any rights to reimbursement for remediating a data breach involving the information, including at least $877,578 in costs it incurred notifying beneficiaries and providing credit monitoring. AFDS promptly notified the Centers for Medicare and Medicaid Services (CMS) of the data breach, worked with CMS to address the impact of the breach, cooperated with the Justice Department’s investigation and took other remedial measures.

“Government contractors that handle personal information must take required steps to safeguard that information from cyberattacks,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation and remediation.”

AFDS provided certain Medicare support services under a contract with CMS. The settlement resolves allegations that from March 10, 2021, through Oct. 8, 2022, AFDS and a subcontractor stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractor’s server without individually encrypting the files to protect them against exposure in the event of a breach. The subcontractor’s server employed disk-level encryption that protected files from unauthorized access but not from access using authorized credentials. The subcontractor’s server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach.

The United States alleged that the storing of screenshots on the subcontractor’s server violated AFDS’ contractual cybersecurity requirements, and that AFDS knowingly billed CMS in violation of these requirements.

“Safeguarding patients’ sensitive personal information is of paramount importance,” said Special Agent in Charge Stephen Niemczak of the Department of Health and Human Services Office of the Inspector General (HHS-OIG). “This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the health care data of all Americans and to investigate allegations of fraud, waste and abuse against the public and taxpayer-funded health care programs.”

On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.

The resolution obtained in this matter was the result of a coordinated effort between the Civil Division’s Commercial Litigation Branch, Fraud Section, and HHS-OIG.

Senior Trial Counsel Jonathan H. Gold of the Civil Division’s Fraud Section handled the matter.

The claims resolved by the settlement are allegations only. There has been no determination of liability.

Settlement

Updated October 15, 2024

Source: U.S. Department of Justice

Category: Health DataOf NoteSubcontractorU.S.

Post navigation

← Boston Children’s Health Physicians notifies employees and patients of September cyberattack
Army to defend small businesses against hackers with NCODE secure cloud enclave pilot →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ShinyHunters and team members arrested in France (1)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.