Department of Justice Announces Significant False Claims Act Settlements Tied to Electronic Health Records Arrangements

The Department of Justice (DOJ) recently announced two high-dollar False Claims Act (FCA) enforcement actions involving allegedly fraudulent arrangements tied to the implementation and use of electronic health record systems (EHRs). The respective settlements enable recovery by DOJ of over $100 million, and immediately precede the government’s recent proposal of new rules to promote the interoperability of EHRs. The settlements thus serve as an important reminder of the importance of adhering to federal fraud and abuse laws and regulations as hospitals and other health care providers continue to implement EHR technology.

First, on January 30, 2019, DOJ announced a $63.5 million settlement with Inform Diagnostics (formerly Miraca Life Sciences, Inc.), a pathology laboratory company, for allegedly violating the Anti-Kickback Statute (AKS) and physician self-referral law (Stark Law) by paying subsidies to referring physicians for EHRs and furnishing “free or discounted technology consulting services.” According to DOJ, the defendant in this case violated the former AKS safe harbor and Stark Law exception under which laboratory companies were permitted to donate EHR technology under certain conditions (until rescission of the availability of such safe harbor and Stark Law exception to laboratories in 2013).  The settlement resolves allegations contained in three qui tam FCA suits filed against the defendant, and in settling the defendant did not admit any liability.

Second, on February 6, 2019, DOJ announced a $57.25 million settlement with Greenway Health LLC (Greenway), an EHR vendor, for allegedly causing “its users to submit false claims to the government by misrepresenting the capabilities of its EHR product “Prime Suite” and providing unlawful remuneration to users to induce them to recommend Prime Suite.” DOJ alleges that Greenway falsely obtained certification for its Prime Suite EHR product in 2014 in connection with the government’s “meaningful use” EHR incentive program, and incorrectly calculated certain mandatory “meaningful use” metrics that allegedly caused users to falsely attest to the government that they were eligible for EHR incentive payments under the meaningful use program. DOJ also alleged that Greenway violated the AKS by furnishing money and incentives to clients to induce recommendations of its products to prospective customers.

In connection with the settlement, Greenway agreed to enter into what DOJ characterizes as an “innovative” five-year Corporate Integrity Agreement under which Greenway must retain an independent review organization to assess its software quality control and compliance, provide prompt notice to customers of any patient safety issues, and allow Prime Suite customers to (i) obtain the latest version of that product at no charge, (ii) migrate their data from Prime Suite to another Greenway product at no charge, or (iii) have Greenway transfer their data to another EHR vendor at no additional cost.

At a time of renewed focus on the capabilities and implementation of EHRs by health care providers, the above settlements reiterate that “EHR companies should consider themselves on notice” as a DOJ official stated. Health care providers would therefore be well-advised to review their current EHR capabilities and compliance systems in light of federal compliance and interoperability guidance.

Hack of Email Provider Destroys Servers and Two Decades of Data

We predicted last year that hackers would become more malicious in the future, not only stealing and selling data for nefarious purposes, but actually destroying data and even systems. That reality hit email provider VFEmail last week, and on February 12, founder Rick Romero tweeted “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they would want to completely and thoroughly destroy it.” The tweet went out after he watched the intruder reformat the hard drives of his email service, which has been in existence since 2001. The intrusion wiped out two decades of data. This is a tragic story.

According to Romero, the damage the intruder inflicted included VFEmail’s entire infrastructure, including mail hosts, machine hosts and an SQL server cluster, which led him to believe that the intruder had multiple passwords when hacking into the system.

It is unknown why the intruder was so malicious. The intruder’s IP address  is said to be linked to malicious hosting services located in Bulgaria. Romero further reported that the attacker used several means to access the VFEmail infrastructure, so two-factor authentication may not have thwarted it. So scary and bleak.

CISA’s Failure May Come to Haunt the Technology Industry

The Cybersecurity Information Sharing Act of 2015 (CISA) was intended to incentivize private entities to share threat intelligence information with the federal government (specifically the Department of Homeland Security), allowing all parties to react more quickly and efficiently to cyber threats. The vision was that thousands of companies would sign on, creating a powerful network that could form a joint defense in real time against emerging cyber threats. The dream is not going well. At last count, there were six non-federal entities signed up with DHS. The reasons for this failure are both technical (DHS has allegedly done a terrible job of contextualizing threat data to make it actionable) and non-technical (privacy is increasingly a business consideration, and working with the government creates bad optics).

One would like to believe this is just the market in a free society playing itself out. CISA was aspirational, but few companies appear to want to share their data with the government, even if they receive benefits in return. They don’t want to pay the hard costs to set up the systems or achieve compliance, nor do they want to risk paying soft costs associated with partners/customers discovering that they are voluntarily sharing data with the government. Ultimately, the government tried to get this going, but they failed, so end of story, right?

Wrong! Lawmakers are trumpeting CISA’s failure as evidence that a voluntary threat sharing program is never going to work,and that the government should instead mandate that private companies share their threat intelligence data. It is impossible to predict how such a legislative mandate would play out. How would it be enforced? Will the government be checking on Google and Microsoft and others to ensure compliance? Who knows! For once, it may be in the best interest of the public to root for lobbyists working on behalf of Big Tech, because if they can’t talk lawmakers down from this cliff, then the jump into mandating public-private partnerships is going to be messy for everyone.

This article authored by guest blogger Kyle Prigmore a student at Roger Williams University School of Law.

Is Bad Cyber Insurance Coverage Actually Good for Consumers?

The cyber insurance market continues to evolve, and major questions remain unanswered. Should policies cover regulatory fines? Should first- and third-party claims be addressed in separate policies? The list goes on.

For the consumer, here is an interesting thought experiment: Is a company having limited access to cyber insurance actually a good thing? Aside from niche exceptions (like GINA, HIPAA, etc.), there is a dearth of regulation pertaining to how private entities treat personal data that they collect. A security breach is one of the only instances in which a company exposes itself to liability for misuse/mistreatment of data, and in some instances, the resulting penalties and lawsuits provide a sharp kick in the rear to the offending company, often forcing the company to reassess and reinvest in its cybersecurity posture.

Cheap, easy access to expansive cybersecurity insurance policies would remove that incentive. If it becomes cheaper to buy insurance policies than to invest in improving cybersecurity internally, then many companies will simply fork over the cash. But so long as policies remain narrow and murky and limited, it is critical for companies to be rigorous about their internal security, which ultimately benefits customers housing data with these companies more directly than a cyber insurance policy ever would.

This article authored by guest blogger Kyle Prigmore a student at Roger Williams University School of Law.

Data Mining Shaping The Global Political Climate

The 2016 U.S. Presidential election demonstrated the importance of digital campaigning. President Trump’s campaign was vastly outspent by Hillary Clinton’s campaign, and placed little emphasis on traditional ground-game tactics. Instead, Trump focused his campaign on digital strategies to target “persuadable voters” via social media. The outcome of the election demonstrated the efficacy of this strategy; not only did Clinton lose the election, but she became the first general election candidate in nearly 40 years to lose after outspending their opponent.

Cambridge Analytica, a data mining and analysis firm, was hired by the Trump campaign and played a significant role in Trump’s underdog victory. Cambridge Analytica analyzed the content that a Facebook user liked, shared, or commented on in order to create a psychological profile of that social media user. The Trump campaign and Cambridge Analytica then used these psychological profiles to target persuadable voters.

Cambridge Analytica, however, dissolved in 2018 after public outcry from social media users claiming that Cambridge Analytica mined their data without their consent. Information was then presented that not only did Cambridge Analytica influence the 2016 election on behalf of Donald Trump, but also worked on behalf of the Brexit campaign and other political movements around the world.

This global trend indicates that data mining and voter targeting may be the blueprint for modern campaigning. It is likely no coincidence that Steve Bannon, Trump’s former chief strategist and co-founder of Breitbart News, is also a founder of Cambridge Analytica. Furthermore, despite the public backlash that Cambridge Analytica faced, the 2020 Trump Campaign has already partnered with new data analytics firms formed by Cambridge Analytica executives. Cambridge Analytica may have dissolved, but the valuable psychological profiles it created still exist and will continue to be exploited.

This article authored by guest blogger Michael Milas a student at Roger Williams University School of Law.

Behavioral Biometrics: Constructing the Digital You

During WWII, Morse Code was an indispensable asset that allowed the allies to transmit sensitive information over long distances with great accuracy. However, it contained an obvious, and potentially fatal, flaw — it provided no built in mechanism for identifying the sender of the messages. In order to combat this, U.S. intelligence officers implemented a methodology known as the “Fist of the Sender,” an early system of “behavioral biometrics” that verified the sender’s identity by analyzing subtle, non-replicable and idiosyncratic “typing” patterns of individual users.

While Morse Code and the “Fist” are laughably archaic by today’s standards, the field of behavioral biometrics has rapidly advanced, and companies today utilize complex algorithms and sensors to determine, track, and record not only your actual “typing” patterns, but also:

  • the angle at which you hold your devices;
  • the exact speeds at which you swipe or scroll on your devices;
  • the manner in which you scroll your mouse; and
  • which fingers you use to swipe on your touchscreens;

By collecting thousands of data points on an ongoing basis, companies create a digital profile of your individual mannerisms that can be used to determine when someone else has accessed your account. As reported by the New York Times in 2018, The Royal Bank of Scotland detected an imposter when the unsanctioned user scrolled the mouse wheel and used the numerical strip on the keyboard (both actions that the account holder had never done).

But as this exciting technology inevitably evolves and industries possess eerily accurate behavioral profiles of their clients, what may the legal/constitutional ramifications be?

  • Will, for example, this kind of information be admissible in court for the purposes of identification?
  • Will companies be limited as to how they can manipulate or sell this kind of data?
  • Will police need a warrant to obtain behavioral biometric data from companies, in light of the recent Supreme Courts recent decision in Carpenter v. United States — and to what degree is this data being “voluntarily” transmitted to third parties?
  • Will courts eventually determine that such an accurate and nuanced profile of one’s idiosyncratic behaviors are so intimate as to constitute intellectual property belonging to the individual and not the organization collecting it?
  • How useful will this information be in creating your robot clone? (I digress)

Our legal system is brilliantly designed to play “catch-up” with an evolving society, but rapid advances in technology, such as behavioral biometrics, will undoubtedly challenge our fundamental understanding of established legal principles in a manner that might even make our Founding Fathers say “new phone, who dis?”

This article authored by guest blogger Kelvin Santos a student at Roger Williams University School of Law.

HIPAA Data Breach Reports Due to OCR by 2/28/19

The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR).

If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the breach involves fewer than 500 individuals, the covered entity must notify the OCR before 60 days after the end of the calendar year (or February 28). Either way, the reporting is made through the OCR website and is fairly self-explanatory.

Many covered entities file their breach reports for breaches involving fewer than 500 individuals through the OCR website at the time they are notifying individuals, but many others wait until the deadline to self-report all such breaches.

Whether you decide to report at the time of the breach or at the end of the year, the deadline for reporting these incidents is fast approaching. If you haven’t taken care of the reporting obligation yet, now is the time to do so.

NASA Selects Hosts for Final Drone Technical Testing

This week, NASA selected the Nevada Institute for Autonomous Systems in Las Vegas and the Lone Star UAS Center for Excellence and Innovation in Corpus Christi, Texas to host the final phase of its four-year series of unmanned aircraft systems (UAS) technical demonstrations. Both of these organizations will host demonstrations to confirm whether NASA’s UAS Traffic Management (UTM) system functions safely and effectively in urban areas.

The drone flights will take place in Reno, Nevada between the months of March and June; in Corpus Christi, Texas the flights will take place in July and August.

The goal of these demonstrations is to help the commercial drone industry better understand the challenges of flying a drone in an urban environment. Additionally, these test flights will also help the industry and the Federal Aviation Administration in developing rules, policies and traffic management procedures for drone operation in heavily populated areas.

The technologies to be tested include airspace regulator Flight Information Management System, the UAS Service Supplier interface for multiple independent UAS traffic management service providers, and their interface with vehicle integrated detect-and-avoid capabilities, vehicle-to-vehicle communication and collision avoidance, and automated safe landing technologies.

Ronald Johnson, NASA’s UTM project manager, said, “This phase represents the most complicated demonstration of advanced UAS operating in a demanding urban environment that will have been tested to date.”

Privacy Tip #178 – Check and Set (and check and re-check) Your Privacy Settings

This was a particularly difficult travel week. In the past 36 hours, I have traveled on five planes in multiple cities (not always on the set itinerary due to diversions and mechanical issues) and the final leg of my travel home was “ground transportation” when my plane was diverted. Just so you know, when they mention “ground transportation” while you are sitting on a plane, it does not include a plane to your final destination. Ground transportation is when they drive you to your final destination, which today took longer than what the original flight should have taken. Okay, I admit that I am still a bit frustrated and could write a short story, but I will spare you that. As someone who tries to be “half-full,” I will tell you that the best parts of the bad travel over the past 32 hours were chatting with folks as we commiserated in the gate area about how difficult it is to travel these days, and my seat mates who wanted to strike up a conversation.

I can chat with the best of them, but sometimes I want to chat, and sometimes I don’t. In this particular case, I had lovely seatmates who were interesting and engaged and were just simply delightful. Of course, the conversation always comes to what we do for a living, and when I say I am a cybersecurity lawyer, the questions always start.

Ultimately, my conclusion, having chatted with numerous travel mates over the past 36 hours, is that no matter what your age, most people really don’t understand the privacy settings on their phone or their social media platforms. When I ask questions about who they have allowed access to their microphone, camera and location, they say they don’t know. When we look at their privacy settings together, they are shocked to see the sea of green tracking dots and to learn that they have allowed so much access. And when I tell them not to leave their phone on next to their bed at night allowing all those apps to have access to their microphone and their “private affairs,” their eyes widen and their mouths form a silent “Oh.”

The tip this week is to continue to check and set your privacy settings—microphone, location services, camera, photos, Bluetooth sharing, contacts, health, motion and fitness. If you click on those, as I periodically do, and there are numerous green dots showing just how many apps are tracking you, make a conscious decision about which ones you really want tracking you and which ones you don’t. And as I say to my kids— “Check and re-check” your decisions.

Fortnite Players Sue for Alleged Exposure of Payment Information for Vbucks

Players of the popular Fortnite video game have filed a proposed class action suit against the video game’s owner, Epic Games Inc. (“Epic”) alleging that Epic failed to protect players’ accounts, allowing hackers access to their payment details in a 2018 data breach. According to the suit, the players gave Epic their payment information in order to purchase “Vbucks,” which is the currency used while playing Fortnite. The suit alleges that Vbucks, considered digital currency, were stolen and that the hackers were also able to access players’ Fortnite accounts.

The suit states that Epic failed to use a “basic precautionary technical measure” that would have prevented the theft of the security tokens that allowed the hackers unauthorized access to the players’ Fortnite accounts. The players allege that the failure to provide adequate security measures exposed their credit and debit card numbers, and allowed the hackers to access in-game conversations among Fortnite players.

The suit alleges that Epic failed to notify the millions of affected players of the compromise within a reasonable time, and alleges violations of the Illinois Consumer Fraud and Deceptive Business Practice Act, breach of contract, breach of implied contract and negligence.