An Update on DOJ’s Civil Cyber Fraud Initiative To Kick Off the New Year With Universities Still in DOJ’s Crosshairs

As we previously reported in May, June, and September of 2024, the U.S. Department of Justice’s (DOJ) three plus-year-old Civil Cyber Fraud Initiative (CCFI) has been picking up speed. In the last few months of 2024, DOJ announced two more settlements resolving cyber cases in quick succession, filed its first complaint in intervention in a CCFI-related qui tam, and filed a brief opposing dismissal of that case. The two settlements demonstrate the breadth of DOJ’s cyber enforcement, with one alleging noncompliance with cyber obligations by a U.S. Department of Defense contractor, and the other arising from allegedly improper storage of healthcare patient data. And DOJ’s opposition brief provides insight into the legal arguments we may see from the government in these cases, including that “common sense alone” supports the materiality of relevant cybersecurity requirements.

The first of the two cyber settlements involved Penn State University, which began with a qui tam suit filed in the Eastern District of Pennsylvania. The relator was the former chief information officer for Penn State’s Applied Research Laboratory. DOJ in the settlement agreement alleged that Penn State failed to adhere to the cybersecurity requirements in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 that were incorporated into 15 federal contracts or subcontracts that Penn State held. DOJ specifically alleged that Penn State failed to implement certain of the 110 (NIST SP) 800-171 security requirements, failed to develop and implement plans of actions to correct deficiencies, knowingly misrepresented the dates by which it expected to implement all of the NIST controls, and did not use an external cloud service provider that met the requirements of DFARS 252.242-7012(b)(2)(ii)(D). Penn State settled before discovery began and agreed to pay $1.25 million, of which $1 million would go to the government and $250,000 would go to the relator.

The second settlement involves ASRC Federal Data Solutions (AFDS) and its contract to provide Medicare support services to the Centers for Medicare and Medicaid Services (CMS). Under that contract, AFDS came into possession of personally identifiable information — potentially including health information — for Medicare beneficiaries. DOJ alleged that AFDS and its subcontractor stored some of this information in unencrypted screenshots and that the lack of encryption led to the data being compromised when the subcontractor’s system was breached in 2022. According to DOJ, this manner of storing patient data ran afoul of the cybersecurity requirements AFDS agreed to in its contract with CMS. AFDS agreed to pay DOJ over $300,000.

While ADFS’ settlement demonstrates the potential pitfalls of failing to adhere to contractual cybersecurity terms, it also shows the potential benefits of prompt disclosure and thorough cooperation with the government following a cyber incident. The settlement agreement notes that “AFDS notified CMS of the breach within one hour of being notified” of it by its subcontractor; “immediately stopped” storing information in the manner that was at risk of compromise; “worked cooperatively with CMS” to identify affected patients, notify them of the breach, and provide credit-monitoring services; instituted training for its employees; and retained a consultant to ensure future compliance with applicable cyber requirements. In return, AFDS received credit pursuant to Section 4-4.112 of DOJ’s Justice Manual (the Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters), and was only required to pay restitution (i.e., single damages) without any additional penalty.

Finally, just before the 2024 holidays, DOJ filed its opposition to Georgia Tech’s motion to dismiss the government’s complaint in intervention. DOJ took on a primary argument by Georgia Tech that because it performed “fundamental research” under the relevant federal contracts, it was not required to comply with the cybersecurity requirements cited in DOJ’s complaint. DOJ responded that Georgia Tech’s arguments impermissibly go outside the scope of the pleadings but regardless, the university’s self-selected record does not defeat DOJ’s allegations that Georgia Tech indeed was required to comply with the identified cybersecurity obligations. DOJ went on to argue that its complaint adequately pleads falsity, knowledge, and materiality. Notably, with respect to materiality, DOJ argued, among other things, that “common sense alone supports the materiality of the cybersecurity requirements Defendants allegedly breached,” particularly because the Department of Defense had contracted with Georgia Tech to develop technologies that could enable identification of cyber threat actors and limit cyber attacks in the first place and Georgia Tech itself has been victim to such attacks. Georgia Tech’s reply is due later this month. We here at Qui Notes will continue to keep you updated on developments in this case as well as the CCFI more broadly.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.