ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, agreed to pay $306,722 to resolve FCA allegations arising from its storage of unsecured personally identifiable information in connection with certain government contracts.
AFDS provided certain Medicare support services under a contract with the Centers for Medicare and Medicaid Services (CMS). The settlement resolves allegations that from March 10, 2021, through October 8, 2022, AFDS stored screenshots from CMS systems containing Medicare beneficiaries' personally identifiable information on a subcontractor's server without properly encrypting the files to protect them in the event of a breach. The subcontractor's server was breached by a third party in October 2022, and the unsecured screenshots containing Medicare beneficiaries' information were allegedly compromised during that breach. The government alleged that the improper storing of screenshots on the subcontractor's server violated AFDS' contractual cybersecurity requirements and that knowingly billing CMS despite those breaches rendered AFDS's claims for reimbursement false under the FCA.
In addition to the settlement payment, AFDS waived any right to reimbursement for remediating the breach, including at least $877,578 the company incurred to notify beneficiaries and provide credit monitoring. The government recognized that AFDS promptly notified CMS of the data breach, worked with CMS to address the impact of the breach, took other remedial measures, and cooperated with the US Department of Justice's investigation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.