CMS contractor takes $1.2M loss after data breach, DOJ lawsuit

A vendor that supports federal Medicare programs has been fined by the U.S. Department of Justice (DOJ) for violating the False Claims Act. 

The Centers for Medicare & Medicaid Services (CMS) contractor, Federal Data Solutions, is accused of failing to secure screenshots containing the personal health information of Medicare enrollees, storing them on a subcontractor’s server without encrypting the images to protect them against a cyberattack.

The server was breached in 2022 and hackers allegedly accessed and stole the images, the DOJ said in a statement

Federal Data Solutions has agreed to settle the case for $306,722 and will also “waive any rights to reimbursement for remediating a data breach involving the information,” which the DOJ said adds up to at least $877,578 in costs to cover expenses, including investigating the incident, securing the server, notifying patients and offering them identity protection services. 

“Government contractors that handle personal information must take required steps to safeguard that information from cyberattacks,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will vigilantly pursue contractors that fail to comply with required cybersecurity protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation and remediation.”

The subcontractor's server had disk-level encryption, but it was removed with credentials via a login, providing criminals access to personally identifiable information from Medicare patients. Under the law, this is not a sufficient level of security—yet, Federal Data Solutions billed CMS for storing the images anyway, the DOJ said.

The agency added that Federal Data Solutions fully cooperated with federal authorities, including CMS, to investigate and resolve the incident. 

The inadequate server was actively used from March 10, 2021 until the data breach on Oct. 8, 2022, the DOJ said. 

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup