Office of Public Affairs Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppASRC Federal Data Solutions LLC AFDS headquartered in Reston Virginia has agreed to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries Under the resolution AFDS will pay 306722 It will also waive any rights to reimbursement for remediating a data breach involving the information including at least 877578 in costs it incurred notifying beneficiaries and providing credit monitoring AFDS promptly notified the Centers for Medicare and Medicaid Services CMS of the data breach worked with CMS to address the impact of the breach cooperated with the Justice Departments investigation and took other remedial measuresppGovernment contractors that handle personal information must take required steps to safeguard that information from cyberattacks said Principal Deputy Assistant Attorney General Brian M Boynton head of the Justice Departments Civil Division We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols while at the same time extending cooperation credit where warranted for selfdisclosure cooperation and remediationppAFDS provided certain Medicare support services under a contract with CMS The settlement resolves allegations that from March 10 2021 through Oct 8 2022 AFDS and a subcontractor stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractors server without individually encrypting the files to protect them against exposure in the event of a breach The subcontractors server employed disklevel encryption that protected files from unauthorized access but not from access using authorized credentials The subcontractors server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breachppThe United States alleged that the storing of screenshots on the subcontractors server violated AFDS contractual cybersecurity requirements and that AFDS knowingly billed CMS in violation of these requirementsppSafeguarding patients sensitive personal information is of paramount importance said Special Agent in Charge Stephen Niemczak of the Department of Health and Human Services Office of the Inspector General HHSOIG This settlement demonstrates the commitment by HHSOIG and our law enforcement partners to use every available tool to protect the health care data of all Americans and to investigate allegations of fraud waste and abuse against the public and taxpayerfunded health care programsppOn Oct 6 2021 Deputy Attorney General Lisa Monaco announced the departments Civil CyberFraud Initiative which aims to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches Information on how to report cyber fraud can be found hereppThe resolution obtained in this matter was the result of a coordinated effort between the Civil Divisions Commercial Litigation Branch Fraud Section and HHSOIGppSenior Trial Counsel Jonathan H Gold of the Civil Divisions Fraud Section handled the matterppThe claims resolved by the settlement are allegations only There has been no determination of liabilityppSettlementppDell Technologies Inc and Dell Federal Systems LP collectively Dell located in Austin Texas have agreed to pay 2300000 to resolve allegations that they violated the False Claims Act byppPharmaceutical company QOL Medical LLC QOL and its coowner and CEO Frederick E Cooper have agreed to pay 47 million to resolve allegations that they caused the submission of falseppUniversity of Colorado Health known as UCHealth and headquartered in Aurora Colorado has agreed to pay 23 million to resolve allegations that it violated the False Claims Act in seekingppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppASRC Federal Data Solutions LLC AFDS headquartered in Reston Virginia has agreed to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries Under the resolution AFDS will pay 306722 It will also waive any rights to reimbursement for remediating a data breach involving the information including at least 877578 in costs it incurred notifying beneficiaries and providing credit monitoring AFDS promptly notified the Centers for Medicare and Medicaid Services CMS of the data breach worked with CMS to address the impact of the breach cooperated with the Justice Departments investigation and took other remedial measuresppGovernment contractors that handle personal information must take required steps to safeguard that information from cyberattacks said Principal Deputy Assistant Attorney General Brian M Boynton head of the Justice Departments Civil Division We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols while at the same time extending cooperation credit where warranted for selfdisclosure cooperation and remediationppAFDS provided certain Medicare support services under a contract with CMS The settlement resolves allegations that from March 10 2021 through Oct 8 2022 AFDS and a subcontractor stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractors server without individually encrypting the files to protect them against exposure in the event of a breach The subcontractors server employed disklevel encryption that protected files from unauthorized access but not from access using authorized credentials The subcontractors server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breachppThe United States alleged that the storing of screenshots on the subcontractors server violated AFDS contractual cybersecurity requirements and that AFDS knowingly billed CMS in violation of these requirementsppSafeguarding patients sensitive personal information is of paramount importance said Special Agent in Charge Stephen Niemczak of the Department of Health and Human Services Office of the Inspector General HHSOIG This settlement demonstrates the commitment by HHSOIG and our law enforcement partners to use every available tool to protect the health care data of all Americans and to investigate allegations of fraud waste and abuse against the public and taxpayerfunded health care programsppOn Oct 6 2021 Deputy Attorney General Lisa Monaco announced the departments Civil CyberFraud Initiative which aims to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches Information on how to report cyber fraud can be found hereppThe resolution obtained in this matter was the result of a coordinated effort between the Civil Divisions Commercial Litigation Branch Fraud Section and HHSOIGppSenior Trial Counsel Jonathan H Gold of the Civil Divisions Fraud Section handled the matterppThe claims resolved by the settlement are allegations only There has been no determination of liabilityppSettlementppDell Technologies Inc and Dell Federal Systems LP collectively Dell located in Austin Texas have agreed to pay 2300000 to resolve allegations that they violated the False Claims Act byppPharmaceutical company QOL Medical LLC QOL and its coowner and CEO Frederick E Cooper have agreed to pay 47 million to resolve allegations that they caused the submission of falseppUniversity of Colorado Health known as UCHealth and headquartered in Aurora Colorado has agreed to pay 23 million to resolve allegations that it violated the False Claims Act in seekingppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
