Are drug and device makers with weak cybersecurity violating the False Claims Act?

By Paul Rothermel, J.D., C.I.P.M

It is no secret that cybersecurity is a high-profile issue impacting every industry. Health care is no exception. News of data breaches and ransomware attacks are so frequent, even for large organizations, that most of us probably skim past the latest data breach news without skipping a beat. As a result of the rise in these incidents, the government is emphasizing cybersecurity matters. One example is a recent Executive Order on cybersecurity.

As this wave of cybercrime and even national security threats continue to rise, the government is reaching into its toolbox for more options to address the nation’s cybersecurity challenges. In October, the United States Department of Justice (DOJ) announced a False Claims Act (FCA) initiative called the Civil Cyber-Fraud Initiative to address deficient cybersecurity practices by government contractors and grant recipients.

According to the DOJ press release:

  • The Civil Cyber-Fraud Initiative will utilize the FCA to pursue cybersecurity related fraud by government contractors and grant recipients. The FCA is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The FCA includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct, share in recoveries, and protection from retaliation.
  • The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

What are the Implications of the DOJ Civil Cyber-Fraud Initiative for Drug and Device Makers?

If a drug or device maker sells goods or services paid for by federal programs, and in the process knowingly makes false statements about its cybersecurity practices, which induce the government to make payment for those goods and services, that could lead to FCA liability under this initiative. We think this could particularly impact drug or device makers that bill government programs, such as durable medical equipment providers, as well as those providing services that implicate cybersecurity directly (e.g., as a business associate) to customers that bill government programs. The more directly relevant cybersecurity is to the goods and services provided, the more direct the path to liability.

While HIPAA has long offered whistleblower protections for reporting violations of its strict health care privacy regulations, the potential windfalls for qui tam relators regarding cybersecurity deficiencies are significant. Even where such suits are unsuccessful, they may damage reputation or expose companies to increased attention from opportunistic criminals seeking easy hacking targets. In addition, the knowledge and materiality elements of the FCA will be easier for relators to prove if the government establishes a precedent of rescinding contracts or recouping funds based on cybersecurity deficiencies of health care entities. Enforcement of the FCA is primarily through civil litigation, so the standard of proof is only preponderance of the evidence.

Summary of the FCA

This federal initiative is based on the FCA which was enacted during the U.S. Civil War in 1863 to protect the government from being over-charged or paying for unnecessary goods or services, including paying for goods or services that would not have been paid but for a false claim. 31 U.S.C. § 3729-3733, 18 U.S.C. § 287. Under the FCA, it is illegal to knowingly present, or cause to be presented, a false claim for payment or approval; or to knowingly make, use, or cause to be made or used, a false record or statement material to a false or fraudulent claim. A claim is considered false or fraudulent if it results from a kickback or is made in violation of any other law. Violators may face both civil and criminal liability under the FCA. Key to the FCA is its qui tam provisions, which allow private individuals (i.e., whistleblowers), such as company insiders, to file suit for violations of the FCA. The federal government then has the option to join the suit.

In short, a FCA suit requires the plaintiff to prove four elements:

  1. Claim for government payment;
  2. Falsity;
  3. Materiality; and
  4. Knowledge (scienter).

Taking these in order, we discuss how deficient cybersecurity may cause a drug or device manufacturer to meet these elements.

Claim for government payment

There is no liability under the FCA if there is no claim for government payment. Drug or device makers are frequently implicated in FCA claims because their products and services are reimbursed by federal health care programs.

Falsity

As part of any FCA suit, the plaintiff must prove falsity of the information submitted. Generally, falsity can be proven in a variety of different ways and can include factual falsity (provision of incorrect information about goods or services provided) or legal falsity (implied or express certifications of compliance with contract terms, statutes, or regulations).

Cybersecurity example #1: Suppose a defendant agrees to implement reasonable cybersecurity controls in a government contract and has implemented some set of controls that could be considered reasonable. In this situation, the defendant could argue that it has not made a false statement or claim. Alternatively, suppose the defendant has agreed to implement “disk-level 256-bit encryption of protected health information stored at rest”, but has not implemented encryption at all. Here, the statement is likely to be considered factually false.

Cybersecurity example #2: Alternatively, suppose a drug or device maker sells products or services which are paid for by the government and the company is knowingly not compliant with applicable HIPAA requirements related to those products or services. Under the Implied Certification Theory, the failure to disclose its deficient HIPAA compliance could expose the company to FCA liability, even if the drug or device maker did not expressly make false statements that it has cybersecurity practices compliant with HIPAA.

Materiality

Even if falsity is proven by the defendant, the false statement must also be material. The FCA defines ‘material’ to mean ‘having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.’ 31 U.S.C. § 3729(b)(4). In other words, a false statement or record, or failure to disclose noncompliance, is material if the government would not have paid for the goods or services but for the false information provided.

As materiality is one key element of making false statements or records, we think that the risk of enforcement against drug or device makers under this initiative will be higher when cybersecurity is directly relevant to goods or services paid for by the government, such as where the company is a Business Associate or a Covered Entity.

Cybersecurity example: Suppose a drug or device maker offers network-connected medical devices, or even implanted devices that have Bluetooth or other wireless capabilities, which are paid for by federal programs. If the devices are deficient with regard to cybersecurity controls and the drug or device maker knows the government would not have paid for the devices if it knew of the deficiencies, this could expose the company to FCA risk.

Knowledge

The defendant must also know the information is false and that it is material to the claim. To know, includes “actual knowledge” as well as “deliberate ignorance” (or “reckless disregard”) of the truth or falsity of the information. As noted above, materiality is when the government would not have paid for goods or services were it not for the false record or statement.

For a defendant to be liable under the FCA on the basis of a false statement about cybersecurity, the plaintiff would need to not only prove defendant’s knowledge of the falsity or truth of the information, but also that the defendant had knowledge that the government would condition payment of the claim on the false statement. The statements from the DOJ identifying cybersecurity as a focus area for FCA activity put companies on notice of the government’s intention to seek damages for payments made for goods or services with regard to which cybersecurity is deficient.

Cybersecurity example: Suppose a drug or device maker agrees to cybersecurity terms. In this case, implementation of audit logging for access to health information held on a device, with a provider for goods or services billed to federal programs. If the drug or device maker knows that this cybersecurity obligation exists and is not met, then that meets the “knowledge of falsity” standard. The drug or device maker would then also need to know that the government will not pay for goods or services where devices have inadequate cybersecurity, meeting the “knowledge of materiality” standard.

Considerations For Addressing Risk

Drug or device makers should evaluate their cybersecurity programs to ensure they are aligned with current practices. Some key considerations:

  • Is there qualified information security leadership identified who is responsible for securing the company’s information?
  • Is there a policy framework that supports good security practices for the company?
  • Does the senior leadership team discuss cybersecurity risk on a regular basis?
  • Is security implemented by design into company products and services?
  • Has the company considered whether it is a Covered Entity or Business Associate under HIPAA, and, if so, is it complying with applicable requirements?, e.g., policies, procedures, security controls for PHI, etc.

Factors that may increase risk:

  • Does the company sign agreements with customers, including but not limited to Business Associate Agreements, with privacy and cybersecurity provisions?
  • Does the company provide products or services which directly include cybersecurity or privacy components?. e.g., connected devices, programmers, software services, hosting of customer data.
  • Does the company directly bill federal programs or sell to federal agencies?

Where Do We Go From Here?

This initiative is a piece in a larger puzzle, and signals a broader message from the federal government: Cybersecurity is a priority for the government. We predict Congressional action on point in the coming years. No company is safe from cybersecurity threats. One of the biggest wrinkles from this initiative is the increased potential for whistleblowers and qui tam relators to call out weak cybersecurity practices, as cybersecurity deficiencies are more likely to be identified by insiders with direct knowledge of these matters. With this in view, as well as the practical reality of cybersecurity threats, drug or device makers will benefit from evaluating their current cybersecurity practices and ensuring they are appropriate and defensible.

Have questions? Contact us.

Information provided on this website is not legal advice. Communications sent to or from this site do not establish an attorney-client relationship. © 2021 Gardner Law. All Rights Reserved.