ASRC Federal Data Solutions LLC (AFDS), based in Reston, Virginia, has agreed to settle allegations related to the False Claims Act. The allegations involve a government contract concerning the storage of unsecured personal information of Medicare beneficiaries. As part of the settlement, AFDS will pay $306,722 and forgo any reimbursement rights for costs incurred during a data breach remediation, including at least $877,578 spent on notifying affected individuals and providing credit monitoring services.
The company informed the Centers for Medicare and Medicaid Services (CMS) about the data breach promptly and collaborated with CMS to mitigate its impact. Additionally, AFDS cooperated with the Justice Department's investigation and took remedial actions.
“Government contractors that handle personal information must take required steps to safeguard that information from cyberattacks,” stated Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division. He emphasized that while contractors failing to meet cybersecurity protocols would be pursued vigilantly, cooperation credit would be extended where appropriate.
AFDS was contracted by CMS to provide certain Medicare support services. The settlement addresses allegations that between March 10, 2021, and October 8, 2022, AFDS and a subcontractor stored screenshots containing personally identifiable information on an unencrypted server owned by the subcontractor. Although disk-level encryption was used to protect files from unauthorized access, it did not prevent access through authorized credentials. A third party breached this server in October 2022, allegedly compromising these unencrypted screenshots.
The U.S. government alleged that storing these screenshots violated AFDS' contractual cybersecurity obligations and that AFDS knowingly billed CMS despite these violations.
“Safeguarding patients’ sensitive personal information is of paramount importance,” said Special Agent in Charge Stephen Niemczak from the Department of Health and Human Services Office of Inspector General (HHS-OIG). He noted that this settlement underscores HHS-OIG's commitment to protecting healthcare data against fraud and abuse.
On October 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative aimed at holding accountable those who compromise U.S. systems or misrepresent their cybersecurity practices.
This resolution resulted from collaboration between various branches within the Civil Division's Commercial Litigation Branch and HHS-OIG. Senior Trial Counsel Jonathan H. Gold managed this case within the Fraud Section.
It is important to note that these claims are only allegations; no liability determination has been made.