ARTICLE
6 March 2025

The More Things Change… DOJ's Latest Cyber Settlement Shows Continued False Claims Act Risk

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore Firm Details
Although the change in administrations has heralded shifting enforcement priorities at the U.S. Department of Justice (DOJ), cybersecurity enforcement under the False Claims Act (FCA) appears to be alive and well.
United States Georgia Technology
Joseph W. Swanson,Matthew D. Krueger, and Jason Mehta
Your Author LinkedIn Connections

Although the change in administrations has heralded shifting enforcement priorities at the U.S. Department of Justice (DOJ), cybersecurity enforcement under the False Claims Act (FCA) appears to be alive and well. That is the takeaway from the recent DOJ announcement that Health Net Federal Services and its parent, Centene Corporation, have agreed to pay over US$11 million to resolve a FCA matter alleging cybersecurity violations.

The Health Net Settlement

According to DOJ, Health Net entered into a contract with the Department of Defense to administer the Defense Health Agency's TRICARE health benefits program. Health Net allegedly failed to meet certain cybersecurity controls as part of its government contract and falsely certified compliance with those requirements in annual reports to the government. The government alleged that the company failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems. In addition, according to the government, Health Net allegedly ignored reports from third-party security auditors and its own audit department regarding cybersecurity risks on the company's networks and systems. Those risks related to, among other things, asset management, firewalls, patch management, and password policies. The government alleged that, as a result of these purported failures, the company's claims for reimbursement under the contract were false, even if there was not any exfiltration or compromise of data or protected health information.

This latest settlement builds on prior DOJ actions against government contractors for alleged cybersecurity failures. Foley has reported on those prior actions here and here, including DOJ's FCA suit against Georgia Tech, which remains pending.

The Health Net settlement demonstrates that the Trump Administration's DOJ remains focused on cybersecurity enforcement, particularly pursuant to the FCA. This is not surprising, given the administration's pronouncements about stamping out alleged fraud, waste, and abuse. Further, this was a theme echoed by several DOJ speakers at a national qui tam conference in Washington, D.C. in February 2025.

Also, where a federal contract involves the military, as was the case with the Health Net settlement, this administration is likely to be especially committed in its investigative and prosecution efforts. Indeed, it is notable that the Health Net settlement does not appear to have arisen from a qui tam suit, which would mean the government initiated the investigation on its own. Finally, the fact remains that cybersecurity has always been a bipartisan issue.

Recommendations

In light of the Health Net settlement and the new administration's interest in cybersecurity enforcement, companies and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:

  1. Catalogue and monitor compliance with all government-imposed cybersecurity standards. This includes not only ongoing knowledge of the organization's contracts, but also continuously monitoring and assessing the organization's cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards.
  2. Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. Because the FCA's qui tam provisions allow employees and others to file suit on behalf of the United States, it is critical to respond to employees' concerns effectively.
  3. Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization's approach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Joseph W. Swanson
Joseph W. Swanson
Photo of Matthew D. Krueger
Matthew D. Krueger
Photo of Jason Mehta
Jason Mehta
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More