2024 Healthcare Fraud Enforcement Year in Review

In 2024, as in years past, healthcare fraud enforcement by the U.S. Department of Justice (DOJ) was substantial. Federal actions under the False Claims Act (FCA) alone resulted in $1.67 billion in settlements and judgments from managed care providers, hospitals and other medical facilities, pharmacies, pharmaceutical companies, laboratories, and physicians. Last year also saw some new developments, as DOJ kicked off new policies and priorities that warrant attention for healthcare industry participants. Our team put together insights on key 2024 developments at DOJ and U.S. Food and Drug Administration (FDA), including a new whistleblower reward program, a newfound interest in the influence of EC/VC on the healthcare industry, and increased attention to cybersecurity under the Civil Cyber Fraud Initiative and for digital medical devices.

DOJ Sweetened the Equation for Corporate Whistleblowers in 2024

The Criminal Division of DOJ announced a new Corporate Whistleblower Awards Pilot Program (the Program) in August 2024.  The Program covers, among other subject areas, federal healthcare offenses outside the FCA’s scope of federal healthcare benefits and beneficiaries.  Principal Deputy Assistant Attorney General Nicole Argentieri emphasized in her remarks on the Pilot Program that “Fraud on federal health care benefit programs is already covered by the Civil Division’s qui tam program—and we have no intention of interfering with that highly successful program.  But there is no comparable whistleblower program for fraud involving private insurers, even though estimates show tens of billions of dollars in fraud each year.”

The Program is slated to run as a pilot for three years and will reward whistleblowers who report corporate misconduct directly to the government.  The potential rewards for whistleblowers are significant: up to 30% of the first $100 million in proceeds resulting from their cooperation, and then up to 5% of any recoveries over $100 million and up to $500 million. The Program will be administered by the Criminal Division’s Money Laundering and Asset Recovery Section.

Under the Program, whistleblowers must meet several conditions to be eligible:

• Individuals only. The whistleblower must be an individual, not a company or another type of entity. In addition, the individual must
• Have had only a limited (or no) role in the offense. The individual must not have “meaningfully participated” in the misconduct reported.
• Provide full cooperation. The individual must continue to fully cooperate with DOJ’s investigation after making a report.
• Not be eligible for other rewards. The individual must not be eligible for an award through another U.S. government or statutory whistleblower, qui tam, or similar program.
• Information provided must be:
• “Original” information. Original information is defined as information deriving from the individuals’ independent knowledge or independent analysis, that is nonpublic, was not previously known to DOJ, and materially adds to the information DOJ already possess.
• Related to certain subject matter areas. The information must relate to one of the four areas of corporate crime: (i) certain crimes involving financial institutions; (ii) foreign corruption; (iii) domestic corruption; or (iv) healthcare fraud schemes targeting private insurers not subject to qui tam recovery under the FCA.
• Voluntarily provided. An individual’s decision to report activity to DOJ must be voluntary.
• Truthful and complete.  The individual’s information must be truthful and complete, including their own role in the misconduct.
• Minimum Forfeiture Amount. The information must lead to the successful forfeiture of more than $1 million in net proceeds in connection with a prosecution, corporate criminal resolution, or civil forfeiture action.

In announcing the Program, DOJ also referenced a corresponding amendment to its Voluntary Self Disclosure (VSD) Policy intended to incentivize prompt attention to internal whistleblower complaints. The amendment makes it possible for companies that voluntarily self-report within 120 days of receiving an internal whistleblower report to be eligible for a presumption of a declination under the VSD Policy.

Best Practices for Corporate Compliance:

Key compliance strategies for companies to consider include:

• Bolstering internal reporting systems so that they are easily accessible to employees and give whistleblowers every opportunity to disclose issues internally prior to reporting to DOJ.
• Confirming there are appropriate whistleblower protections and anti-retaliation policies in effect that are enforced.
• Ensuring the company is equipped to swiftly identify, investigate, and address reports of misconduct. Otherwise, the compressed 120-day deadline to receive benefits under the VSD Program will make it difficult for companies, especially multinational companies in highly regulated industries, to conduct a thorough internal investigation and potentially disclose misconduct reported internally by a whistleblower to DOJ.

Now What? Anticipating the Impact:

• Increase in whistleblower reports. Given the strong monetary incentives the Program provides for whistleblowers, we can expect increased whistleblower reports internally and to DOJ in 2025. Companies should have in place policies and systems capable of accommodating increased activity.
• Expansion of government enforcement in healthcare. The Program highlights DOJ’s expanded enforcement focus on federal healthcare offenses involving private insurers, fraud against patients and investors, and other violations not covered by the FCA.
• Fast-paced internal investigations. The 120-day reporting window is likely to result in corporate investigations counsel triaging allegations of misconduct. Corporate counsel will need to quickly issue-spot and allocate the appropriate resources for the investigation of reports related to money laundering, bribery, corruption, and fraud.
• U.S. Attorney-specific whistleblower programs. In the fall of 2024, the U.S. Attorneys for Southern District of New York, the Eastern District of New York, the Eastern District of Virginia, the District of New Jersey, the Northern District of Illinois, the Central District of California, and the Southern District of Florida all implemented their own whistleblower awards pilot programs. Most of these programs clarify the criteria companies must satisfy to receive a non-prosecution agreement. We can expect other U.S. Attorney’s Offices to follow suit in 2025.

2024: DOJ Turned an Eye Toward EC/VC Investment in the Healthcare Industry.

It was no surprise that DOJ’s Civil Division proclaimed “healthcare fraud” as a core priority in 2024, but it was significant that DOJ signaled increased scrutiny of private equity and venture capital firms in the healthcare industry—including potential liability for claims submitted by portfolio companies.  DOJ’s focus on third-party investors in the healthcare industry represented yet another new effort to expand the scope of FCA liability.  Along the same lines, DOJ also joined both the Federal Trade Commission and the U.S. Department of Health and Human Services to launch an inter-agency inquiry focused on the role of private equity in the healthcare field.

While emphasizing its intention to hold investment entities accountable for the conduct of portfolio companies, DOJ stressed that the FCA has been “so successful” because of “its wide reach.”  DOJ highlighted that investment firms may be found liable, even when not the firm is not directly involved in the claims submission process, if “their conduct played a significant and foreseeable role in advancing the scheme.”  Finding upstream liability for investors and firms “is of particular importance in the healthcare industry,” DOJ explained, because investors and firms “may influence patient care” directly by providing express directions on business decisions or indirectly by setting revenue targets or other benchmarks that are intended to maximize reimbursements.  DOJ expressed concern that undue or improper pressure from investors can also “undermine medical judgement” and “inappropriately influence” the physician-patient relationship. These would then cause the submission of false claims to the federal government.

Recognizing that private equity plays a large and growing role in the healthcare field, DOJ expects that “their impact on healthcare billings will continue to grow as well.”  As such, we expect that DOJ will increase scrutiny of third-party investors in the healthcare industry. EC/VC investors, boards, and executives can benefit from advice and analysis of how and where DOJ might see FCA liability in their work with healthcare portfolio companies.

Whistleblowers Helped DOJ’s Civil Cyber Fraud Initiative Tally Big Settlements in 2024

Healthcare industry participants handle enormous amounts of patient health information, and if they are billing federal insurance programs for their services, their cybersecurity lapses will draw scrutiny from federal enforcers. That makes it important to track DOJ activity under the Civil Cyber Fraud Initiative.  First announced in 2021, the initiative uses the FCA to prosecute government vendors and contractors who either knowingly misrepresent material elements of their cybersecurity practices and protocols or whose cybersecurity does not satisfy standards set out in the governing contract. In 2024, prosecutors recovered more than $14,000,000 in just two settlements reached as part of DOJ’s Civil Cyber Fraud Initiative.

This Is a Test: $11.4 Million Settlement for Incomplete Cybersecurity Testing.

The year’s largest settlement focused on a service provider used frequently in the healthcare industry: contractor- and subcontractor-provided services to a federally funded program run by a state. The enforcement action involved a consulting company and its subcontractor who together were responsible for the pre-launch cybersecurity testing of a new online application system for a rental assistance program funded by the federal government and administered by the State of New York. Just hours after the system went live in 2021, however, personally identifiable information of some program applicants was available on the internet.

A qui tam relator brought suit against both the contractor and the subcontractor in 2022. The government intervened, contending that it had claims against the two entities under the FCA because the knowing failure to conduct the requisite “pre-go-live cybersecurity testing” and the knowing use of unauthorized software were violations of the cybersecurity requirements incorporated in the relevant contract.

The contractor and the subcontractor settled with DOJ in May 2024 and, while they did not admit liability, they did admit that neither satisfied their obligation to complete the required pre-production cybersecurity testing. Both also admitted to the use of unauthorized software. The contractor and the subcontractor agreed to settlement amounts of $7,600,000 and $3,700,000, respectively. The whistleblower received $1,949,250 of the total. These large settlements will likely incentivize whistleblowers and government enforcers to look for comparable cases to bring against contractors in the healthcare industry.

Remediation and Cooperation Were Not Enough: $2.7 Million Settlement for Unsecured Handling of Health Information and Personally Identifiable Information.

The discovery of a cybersecurity deficiency often prompts remedial steps, particularly when the data at risk includes protected health information. The importance of prompt remediation (and the cost of delay) was highlighted by the enforcement action taken against a federal contractor that implemented extensive remedial measures in response to internal complaints (and did so before any government inquiry was made) and also cooperated once the government commenced its investigation, but nonetheless entered into a $2.7 million settlement agreement with the government to resolve allegations that it violated the FCA by providing inadequate data-security resources and training in connection with a COVID-era contact tracing program.

In August 2020, the company was hired by the Pennsylvania Department of Health to provide staff for COVID-19 contact tracing. Funding for the program was provided by the elegantly named Epidemiology and Laboratory Capacity Cooperative Agreement Program within the United States Centers for Disease Control and Prevention.

The staff provided by the contractor transmitted some personal health information and personally identifiable information for contact tracing subjects in unencrypted emails. Some of the information was stored and transmitted using Google files that were not password-protected, and some of the data was also potentially accessible to the public via internet links. From November 2020 until January 2021, contract staffers complained to their managers about the insecure handling of the information.

In April 2021, the contractor responded by securing sensitive information, investigating the cause and scope of the incident, strengthening internal controls and procedures, adding more data-security resources, and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected.

In July 2021, however, a former employee of the contractor who had worked on the contact tracing in question filed a qui tam suit under the FCA. Federal investigators issued a Civil Investigative Demand, and the company cooperated with the government investigation.

The remedial steps taken by the company are set out in its settlement agreement with the government, as is the company’s cooperation with the government investigation. The government contended (and the company denied) that the company “failed to promptly remediate” the issues and “should have (and could have) provided more data-security resources and training . . . .” The company ultimately agreed to a settlement payment of $2.7 million ($499,500 of which was paid to the qui tam relator) and an additional $86,200 for reasonable attorneys’ fees for bringing the qui tam suit. The resolution is the latest reminder of the importance of promptly addressing internal complaints regarding cybersecurity issues.

DoD and NASA Rules Apply: $1.25 Million for Allegedly Inadequate Controls and Knowing Misstatements.

Academic institutions that conduct federally funded research should take note of DOJ’s intervention in a case involving an academic institution that contracted to provide services to the Department of Defense (DoD) and that National Aeronautical and Space Agency (NASA)—two agencies that set out especially specific cybersecurity standards.

From 2018 to 2023, the academic institution in question was contractually required by DoD and NASA to implement cybersecurity controls and—significantly—to develop and implement plans of action to correct any deficiencies it identified. The government alleged that the university identified cybersecurity deficiencies in services provided under more than a dozen contract and subcontracts, and that the university disclosed those deficiencies to the government through cybersecurity assessment scores that revealed that key controls were absent.

Although the university gave the government dates by which it would implement the necessary controls, the government alleged that it not only knowingly misstated those dates but also did not follow plans to implement the controls. In addition, the government alleged that the university was performing the contract using a cloud server that did not meet applicable standards.

The conduct was first alleged in a qui tam suit brought by the former Chief Information Officer for the university in 2022. The university agreed to a settlement payment of $1.25 million (plus $150,000 to the relator’s counsel for attorneys’ fees), with the relator receiving $250,000.

What Will 2025 and a New Administration Bring?

There is no shortage of speculation about what kind of change will come with a new attorney general and a new administration. The importance of cybersecurity is beyond question for national security, health information, financial information, and even political stability. But will the FCA continue to be seen as the right tool to deter noncompliance with cybersecurity requirements in federal contracts? Given the federal government’s long and lucrative history with the FCA, signs point to yes.

2024: FDA Focuses on Medical Device Cybersecurity

With the medical device market increasingly shifting its focus to digital health tools, FDA has sought to provide guidance on its expectations around security for devices that access the internet (“cyber devices”). These products collect and send protected data and are frequent targets for cyber criminals, a reality not lost on legislators.  To address cyberattacks targeting the healthcare sector, Congress amended the Federal Food, Drug, and Cosmetic Act (FDCA) in 2022 to establish new requirements for manufacturers of cyber devices.  While FDA issued some responsive draft guidance documents shortly after enactment of the legislation, the pace of guidance picked up in late 2023 and continued throughout 2024, including the issuance of two key policy documents on the subject:

• September 2023 – Final Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
• March 2024 – Draft Guidance: Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act

FDA has also worked closely with a nonprofit organization that conducts research and development for the U.S. government to issue cybersecurity resources, such as:

• November 2023 – Legacy Medical Device Report: Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks 
• October 2024 – New White Paper for Medical Device Manufacturers: Data Normalization Challenges and Mitigations in Software Bill of Materials (SBOM) Processing
• October 2024 – New Journal Article: Digital Certificate Management for Medical Devices in the Journal of Clinical Engineering

Although these guidance documents are not legally binding, and therefore did not change any legal requirements relative to the legislation, we expect to see more enforcement related to these cybersecurity requirements in the near term. FDA is paying more attention to cybersecurity not only in premarket submissions but also during inspections of medical device manufacturing facilities.  Indeed, FDA recently issued a warning letter to a device manufacturer after an inspection revealed that the manufacturer’s devices were adulterated under the FDCA for quality system regulation violations, some of which were related to cybersecurity vulnerabilities.  While this is not the first warning letter of its kind, we expect that FDA’s increased focus and the recently clarified statutory authority may drive an enforcement uptick.