Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data
SETTLEMENT AGREEMENT
This Settlement Agreement (Agreement) is entered into among the United States
of America, acting through the United States Department of Justice and on behalf of the
Department of Health and Human Services, Office of Inspector General (“HHS-OIG”)
(collectively the “United States”) and ASRC Federal Data Solutions, LLC (hereafter
“AFDS”) (collectively referred to as “the Parties”), through their authorized
representatives.
RECITALS
A. AFDS is a federal contractor that supplies services and technical expertise
to a variety of government agencies. AFDS provided certain Medicare support services
to the Centers for Medicare and Medicaid Services (“CMS”) under contract no.
75FCMC18C0045 (the “Medicare Case Support Contract”) in part using a subcontractor
(the “Subcontractor”). Prior to the Covid-19 pandemic, it performed this work in person
using hardcopy records, and, during the pandemic, CMS, AFDS, and the Subcontractor
transitioned to performing the work electronically on the Subcontractor’s server. The
Subcontractor’s server employed disk-level encryption that protected files from
unauthorized access but not from access using authorized credentials.
B. The United States contends that it has certain civil claims against AFDS
arising from the following conduct:
From March 10, 2021 through October 8, 2022, AFDS and the Subcontractor
stored screenshots from CMS systems containing personally identifiable information and
potentially personal health information of Medicare beneficiaries on the Subcontractor’s
server without individually encrypting the files to protect them against exposure in the
2
event of a breach using authorized credentials. The United States contends the storing
of screenshots on the Subcontractor’s server violated HHS cybersecurity requirements
incorporated in the Medicare Case Support Contract, including its Rules of Behavior.
The Subcontractor’s server was breached by a third party in October 2022 and the
unencrypted screenshots were compromised during that breach. The United States
contends that AFDS knowingly billed CMS in violation of HHS’s cybersecurity
requirements, including for the time spent taking, storing, and managing the unencrypted
screenshots. This conduct is referred to below as the Covered Conduct.
C. AFDS notified CMS of the breach within one hour of being notified by the
Subcontractor. AFDS subsequently took steps to remediate the impact of the breach; the
company immediately stopped taking and storing screenshots or otherwise storing
protected health and other personally identifiable information outside of CMS systems,
and it worked cooperatively with CMS to identify the relevant Medicare beneficiaries,
notify them of the breach, and provide free credit monitoring and identity theft protection
services. Additionally, AFDS provided its employees with cybersecurity and incident
response training and hired a third-party consultant to review its revised practices relating
to the Medicare Case Support Program to ensure they are consistent with CMS
requirements. Finally, AFDS cooperated with the Department of Justice’s investigation
by promptly responding to requests for information, making employees available to be
interviewed, and providing additional information about the breach. AFDS received
credit under the Department of Justice’s guidelines for taking disclosure, cooperation,
and remediation into account in False Claims Act cases, Justice Manual §4-4.112.
3
D. This Settlement Agreement is neither an admission of liability by AFDS
nor a concession by the United States that its claims are not well founded.
To avoid the delay, uncertainty, inconvenience, and expense of protracted
litigation of the above claims, and in consideration of the mutual promises and
obligations of this Settlement Agreement, the Parties agree and covenant as follows:
TERMS AND CONDITIONS
1. AFDS shall make and waive payments to the United States as follows:
a) AFDS shall pay to the United States $306,722, of which $306,722 is
restitution, by electronic funds transfer pursuant to written instructions to be provided by
the Civil Division of the Department of Justice, no later than 10 days after the Effective
Date of this Agreement; and
b) AFDS shall waive, and not seek payment, from the United States for any work
performed or expenses incurred by AFDS and/or its subcontractors or other third-party
contractors in remediation of the breach of its subcontractor’s systems under the
Medicare Case Support Contract, including for: a) any work performed or expenses
incurred to notify Medicare beneficiaries of the breach, and provide credit monitoring,
call center assistance, and other assistance to affected or potentially affected
beneficiaries, including the $877,578.04 incurred by AFDS for services of Equifax; and
b) any work performed or expenses incurred pursuant to modification P00015 (dated
December 6, 2022) to the Medicare Case Support Contract.
2. Subject to the exceptions in Paragraph 3 (concerning reserved claims)
below, and conditioned upon the United States’ receipt of the payment under Paragraph
1.a and AFDS’s waiver of payments under Paragraph 1.b, the United States releases
4
AFDS from any civil or administrative monetary claim the United States has for the
Covered Conduct under the False Claims Act, 31 U.S.C. §§ 3729-3733; the Civil
Monetary Penalties Law, 42 U.S.C. § 1320a-7a; the Program Fraud Civil Remedies Act,
31 U.S.C. §§ 3801-3812; or the common law theories of breach of contract, payment by
mistake, unjust enrichment, and fraud.
3. Notwithstanding the release given in Paragraph 2 of this Agreement, or
any other term of this Agreement, the following claims and rights of the United States are
specifically reserved and are not released:
a. Any liability arising under Title 26, U.S. Code (Internal Revenue
Code);
b. Any criminal liability;
c. Except as explicitly stated in this Agreement, any administrative
liability or enforcement right, or any administrative remedy,
including the suspension and debarment rights of any federal
agency;
d. Any liability to the United States (or its agencies) for any conduct
other than the Covered Conduct;
e. Any liability based upon obligations created by this Agreement;
f. Any liability of individuals;
g. Any liability for express or implied warranty claims or other
claims for defective or deficient products or services, including
quality of goods and services; and
5
h. Any liability for personal injury or property damage arising from
the Covered Conduct.
4. AFDS waives and shall not assert any defenses AFDS may have to any
criminal prosecution or administrative action relating to the Covered Conduct that may be
based in whole or in part on a contention that, under the Double Jeopardy Clause in the
Fifth Amendment of the Constitution, or under the Excessive Fines Clause in the Eighth
Amendment of the Constitution, this Agreement bars a remedy sought in such criminal
prosecution or administrative action.
5. AFDS fully and finally releases the United States, its agencies, officers,
agents, employees, and servants, from any claims (including attorneys’ fees, costs, and
expenses of every kind and however denominated) that AFDS has asserted, could have
asserted, or may assert in the future against the United States, its agencies, officers,
agents, employees, and servants, related to the Covered Conduct and the United States’
investigation and prosecution thereof.
6. a. Unallowable Costs Defined: All costs (as defined in the Federal
Acquisition Regulation, 48 C.F.R. § 31.205-47) incurred by or on behalf of AFDS, and
its present or former officers, directors, employees, shareholders, and agents in
connection with:
(1) the matters covered by this Agreement;
(2) the United States’ audit(s) and civil investigation(s) of the
matters covered by this Agreement;
(3) AFDS’s investigation, defense, and corrective actions
undertaken in response to the United States’ audit(s) and
6
civil investigation(s) in connection with the matters
covered by this Agreement (including attorneys’ fees);
(4) the negotiation and performance of this Agreement;
(5) the payment AFDS makes to the United States pursuant to
this Agreement,
are unallowable costs for government contracting purposes (hereinafter referred to as
Unallowable Costs).
b. Future Treatment of Unallowable Costs: Unallowable Costs will
be separately determined and accounted for by AFDS, and AFDS shall not charge such
Unallowable Costs directly or indirectly to any contract with the United States.
c. Treatment of Unallowable Costs Previously Submitted for
Payment: Within 90 days of the Effective Date of this Agreement, AFDS shall identify
and repay by adjustment to future claims for payment or otherwise any Unallowable
Costs included in payments previously sought by AFDS or any of its subsidiaries or
affiliates from the United States. AFDS agrees that the United States, at a minimum,
shall be entitled to recoup from AFDS any overpayment plus applicable interest and
penalties as a result of the inclusion of such Unallowable Costs on previously-submitted
requests for payment. The United States, including the Department of Justice and/or the
affected agencies, reserves its rights to audit, examine, or re-examine AFDS’s books and
records and to disagree with any calculations submitted by AFDS or any of its
subsidiaries or affiliates regarding any Unallowable Costs included in payments
previously sought by AFDS, or the effect of any such Unallowable Costs on the amount
of such payments.
7
7. This Agreement is intended to be for the benefit of the Parties only.
8. Each Party shall bear its own legal and other costs incurred in connection
with this matter, including the preparation and performance of this Agreement.
9. Each Party and signatory to this Agreement represents that it freely and
voluntarily enters into this Agreement without any degree of duress or compulsion.
10. This Agreement is governed by the laws of the United States. The
exclusive venue for any dispute relating to this Agreement is the United States District
Court for the District of Columbia. For purposes of construing this Agreement, this
Agreement shall be deemed to have been drafted by all Parties to this Agreement and
shall not, therefore, be construed against any Party for that reason in any subsequent
dispute.
11. This Agreement constitutes the complete agreement between the Parties.
This Agreement may not be amended except by written consent of the Parties.
12. The undersigned represent and warrant that they are fully authorized to
execute this Agreement on behalf of the persons and entities indicated below.
13. This Agreement may be executed in counterparts, each of which
constitutes an original and all of which constitute one and the same Agreement.
14. This Agreement is binding on AFDS’s successors, transferees, heirs, and
assigns.
15. All Parties consent to the United States’ disclosure of this Agreement, and
information about this Agreement, to the public.
9
AFDS
DATED: BY: _____________________________
Clifford E. Greenblatt
Corporate Secretary of AFDS
DATED: BY: _____________________________
Alex Ward
Counsel for AFDS
10/01/2024
10/11/2024
This Settlement Agreement (Agreement) is entered into among the United States
of America, acting through the United States Department of Justice and on behalf of the
Department of Health and Human Services, Office of Inspector General (“HHS-OIG”)
(collectively the “United States”) and ASRC Federal Data Solutions, LLC (hereafter
“AFDS”) (collectively referred to as “the Parties”), through their authorized
representatives.
RECITALS
A. AFDS is a federal contractor that supplies services and technical expertise
to a variety of government agencies. AFDS provided certain Medicare support services
to the Centers for Medicare and Medicaid Services (“CMS”) under contract no.
75FCMC18C0045 (the “Medicare Case Support Contract”) in part using a subcontractor
(the “Subcontractor”). Prior to the Covid-19 pandemic, it performed this work in person
using hardcopy records, and, during the pandemic, CMS, AFDS, and the Subcontractor
transitioned to performing the work electronically on the Subcontractor’s server. The
Subcontractor’s server employed disk-level encryption that protected files from
unauthorized access but not from access using authorized credentials.
B. The United States contends that it has certain civil claims against AFDS
arising from the following conduct:
From March 10, 2021 through October 8, 2022, AFDS and the Subcontractor
stored screenshots from CMS systems containing personally identifiable information and
potentially personal health information of Medicare beneficiaries on the Subcontractor’s
server without individually encrypting the files to protect them against exposure in the
2
event of a breach using authorized credentials. The United States contends the storing
of screenshots on the Subcontractor’s server violated HHS cybersecurity requirements
incorporated in the Medicare Case Support Contract, including its Rules of Behavior.
The Subcontractor’s server was breached by a third party in October 2022 and the
unencrypted screenshots were compromised during that breach. The United States
contends that AFDS knowingly billed CMS in violation of HHS’s cybersecurity
requirements, including for the time spent taking, storing, and managing the unencrypted
screenshots. This conduct is referred to below as the Covered Conduct.
C. AFDS notified CMS of the breach within one hour of being notified by the
Subcontractor. AFDS subsequently took steps to remediate the impact of the breach; the
company immediately stopped taking and storing screenshots or otherwise storing
protected health and other personally identifiable information outside of CMS systems,
and it worked cooperatively with CMS to identify the relevant Medicare beneficiaries,
notify them of the breach, and provide free credit monitoring and identity theft protection
services. Additionally, AFDS provided its employees with cybersecurity and incident
response training and hired a third-party consultant to review its revised practices relating
to the Medicare Case Support Program to ensure they are consistent with CMS
requirements. Finally, AFDS cooperated with the Department of Justice’s investigation
by promptly responding to requests for information, making employees available to be
interviewed, and providing additional information about the breach. AFDS received
credit under the Department of Justice’s guidelines for taking disclosure, cooperation,
and remediation into account in False Claims Act cases, Justice Manual §4-4.112.
3
D. This Settlement Agreement is neither an admission of liability by AFDS
nor a concession by the United States that its claims are not well founded.
To avoid the delay, uncertainty, inconvenience, and expense of protracted
litigation of the above claims, and in consideration of the mutual promises and
obligations of this Settlement Agreement, the Parties agree and covenant as follows:
TERMS AND CONDITIONS
1. AFDS shall make and waive payments to the United States as follows:
a) AFDS shall pay to the United States $306,722, of which $306,722 is
restitution, by electronic funds transfer pursuant to written instructions to be provided by
the Civil Division of the Department of Justice, no later than 10 days after the Effective
Date of this Agreement; and
b) AFDS shall waive, and not seek payment, from the United States for any work
performed or expenses incurred by AFDS and/or its subcontractors or other third-party
contractors in remediation of the breach of its subcontractor’s systems under the
Medicare Case Support Contract, including for: a) any work performed or expenses
incurred to notify Medicare beneficiaries of the breach, and provide credit monitoring,
call center assistance, and other assistance to affected or potentially affected
beneficiaries, including the $877,578.04 incurred by AFDS for services of Equifax; and
b) any work performed or expenses incurred pursuant to modification P00015 (dated
December 6, 2022) to the Medicare Case Support Contract.
2. Subject to the exceptions in Paragraph 3 (concerning reserved claims)
below, and conditioned upon the United States’ receipt of the payment under Paragraph
1.a and AFDS’s waiver of payments under Paragraph 1.b, the United States releases
4
AFDS from any civil or administrative monetary claim the United States has for the
Covered Conduct under the False Claims Act, 31 U.S.C. §§ 3729-3733; the Civil
Monetary Penalties Law, 42 U.S.C. § 1320a-7a; the Program Fraud Civil Remedies Act,
31 U.S.C. §§ 3801-3812; or the common law theories of breach of contract, payment by
mistake, unjust enrichment, and fraud.
3. Notwithstanding the release given in Paragraph 2 of this Agreement, or
any other term of this Agreement, the following claims and rights of the United States are
specifically reserved and are not released:
a. Any liability arising under Title 26, U.S. Code (Internal Revenue
Code);
b. Any criminal liability;
c. Except as explicitly stated in this Agreement, any administrative
liability or enforcement right, or any administrative remedy,
including the suspension and debarment rights of any federal
agency;
d. Any liability to the United States (or its agencies) for any conduct
other than the Covered Conduct;
e. Any liability based upon obligations created by this Agreement;
f. Any liability of individuals;
g. Any liability for express or implied warranty claims or other
claims for defective or deficient products or services, including
quality of goods and services; and
5
h. Any liability for personal injury or property damage arising from
the Covered Conduct.
4. AFDS waives and shall not assert any defenses AFDS may have to any
criminal prosecution or administrative action relating to the Covered Conduct that may be
based in whole or in part on a contention that, under the Double Jeopardy Clause in the
Fifth Amendment of the Constitution, or under the Excessive Fines Clause in the Eighth
Amendment of the Constitution, this Agreement bars a remedy sought in such criminal
prosecution or administrative action.
5. AFDS fully and finally releases the United States, its agencies, officers,
agents, employees, and servants, from any claims (including attorneys’ fees, costs, and
expenses of every kind and however denominated) that AFDS has asserted, could have
asserted, or may assert in the future against the United States, its agencies, officers,
agents, employees, and servants, related to the Covered Conduct and the United States’
investigation and prosecution thereof.
6. a. Unallowable Costs Defined: All costs (as defined in the Federal
Acquisition Regulation, 48 C.F.R. § 31.205-47) incurred by or on behalf of AFDS, and
its present or former officers, directors, employees, shareholders, and agents in
connection with:
(1) the matters covered by this Agreement;
(2) the United States’ audit(s) and civil investigation(s) of the
matters covered by this Agreement;
(3) AFDS’s investigation, defense, and corrective actions
undertaken in response to the United States’ audit(s) and
6
civil investigation(s) in connection with the matters
covered by this Agreement (including attorneys’ fees);
(4) the negotiation and performance of this Agreement;
(5) the payment AFDS makes to the United States pursuant to
this Agreement,
are unallowable costs for government contracting purposes (hereinafter referred to as
Unallowable Costs).
b. Future Treatment of Unallowable Costs: Unallowable Costs will
be separately determined and accounted for by AFDS, and AFDS shall not charge such
Unallowable Costs directly or indirectly to any contract with the United States.
c. Treatment of Unallowable Costs Previously Submitted for
Payment: Within 90 days of the Effective Date of this Agreement, AFDS shall identify
and repay by adjustment to future claims for payment or otherwise any Unallowable
Costs included in payments previously sought by AFDS or any of its subsidiaries or
affiliates from the United States. AFDS agrees that the United States, at a minimum,
shall be entitled to recoup from AFDS any overpayment plus applicable interest and
penalties as a result of the inclusion of such Unallowable Costs on previously-submitted
requests for payment. The United States, including the Department of Justice and/or the
affected agencies, reserves its rights to audit, examine, or re-examine AFDS’s books and
records and to disagree with any calculations submitted by AFDS or any of its
subsidiaries or affiliates regarding any Unallowable Costs included in payments
previously sought by AFDS, or the effect of any such Unallowable Costs on the amount
of such payments.
7
7. This Agreement is intended to be for the benefit of the Parties only.
8. Each Party shall bear its own legal and other costs incurred in connection
with this matter, including the preparation and performance of this Agreement.
9. Each Party and signatory to this Agreement represents that it freely and
voluntarily enters into this Agreement without any degree of duress or compulsion.
10. This Agreement is governed by the laws of the United States. The
exclusive venue for any dispute relating to this Agreement is the United States District
Court for the District of Columbia. For purposes of construing this Agreement, this
Agreement shall be deemed to have been drafted by all Parties to this Agreement and
shall not, therefore, be construed against any Party for that reason in any subsequent
dispute.
11. This Agreement constitutes the complete agreement between the Parties.
This Agreement may not be amended except by written consent of the Parties.
12. The undersigned represent and warrant that they are fully authorized to
execute this Agreement on behalf of the persons and entities indicated below.
13. This Agreement may be executed in counterparts, each of which
constitutes an original and all of which constitute one and the same Agreement.
14. This Agreement is binding on AFDS’s successors, transferees, heirs, and
assigns.
15. All Parties consent to the United States’ disclosure of this Agreement, and
information about this Agreement, to the public.
9
AFDS
DATED: BY: _____________________________
Clifford E. Greenblatt
Corporate Secretary of AFDS
DATED: BY: _____________________________
Alex Ward
Counsel for AFDS
10/01/2024
10/11/2024
