DOJ Resolves Civil Cyber Fraud Initiative Case with CHS and Issues a $930,000 Penalty

The U.S. Department of Justice (DOJ) has reported the settlement agreed with the healthcare services company, Comprehensive Health Services (CHS) located in Cape Canaveral, FL to resolve alleged False Claims Act violations.

This is the first settlement announced with the DOJ Civil Cyber Fraud Initiative, which was started in 2021. The Civil Cyber Fraud Initiative was introduced to go after cases versus government service providers that consciously employed poor cybersecurity solutions and services that put data systems in danger, and failures to send alerts of cybersecurity events.

CHS along with its subsidiaries had deals with the U.S. Department of State and the U.S. Air Force to run healthcare services at U.S. military establishments in Afghanistan and Iraq. Two actions were sent in under the whistleblower conditions of the False Claims Act that claimed CHS got payment for managing those medical facilities yet was unable to run them in a fashion in keeping with U.S. specifications.

Allegedly, CHS failed to maintain proper workforce levels, granted unqualified persons to do surgery, pharmacy, and radiology services, and maintained that a number of the controlled substances offered to patients at the health care facilities were permitted by the U.S. Food and Drug Administration or European Medicines Agency when those substances were brought in from South Africa and were not authorized. CHS was accused of bidding on the contracts to manage the healthcare facilities when it knew that it cannot fulfill its responsibilities to do so.

Between 2012 and 2019, CHS sent claims for refund of $486,000 with its contract however did not make known that it did not continually save medical records in a protected, HIPAA-compliant electronic medical record (EMR) system. CHS personnel scanned medical records for the EMR system nevertheless preserved scanned copies of several records on an internal network drive, which may be accessed by non-clinical employees, which include Iraqi nationals hired at the area. A number of employees depicted concern concerning the not secure storage of private medical information, nonetheless, CHS didn’t do anything to tackle the issue and was unable to make sure health records were simply located in the EMR system. CHS was furthermore alleged to have been advised of a few HIPAA breaches although failed to make them known.

CHS agreed to negotiate the case without admitting liability and decided to pay a fine of $930,000 to take care of the claimed False Claims Act violations.

This settlement shows the department’s determination to make use of its civil enforcement tools to follow federal contractors that do not comply with necessary cybersecurity criteria, specifically when they put sensitive medical records at stake, claimed Principal Deputy Assistant Attorney General Brian M. Boynton, the Justice Department’s Civil Division head. It is their responsibility to make certain that people who work with the government abide by their contractual commitments, such as those needing the security of sensitive government data.


About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at