Alleged Violations of Government Data Security Requirements Yield FCA Settlement
On May 31, 2019, U.S. Attorney Stephen McAllister of the District of Kansas announced a $250,000 settlement with Coffey Health System to resolve a False Claims Act case. The case arose from allegations that the hospital’s patient data security was insufficient to justify an incentive payment from the federal government. The two whistleblowers each will receive $50,000 from the settlement.
In 2016, two whistleblowers filed a qui tam complaint under the False Claims Act, alleging that Coffey Health System (“Coffey”) improperly certified information in its applications for federal incentives. Coffey is a non-profit health provider that is affiliated with the local government in rural Coffey County, Kansas, and located in the town of Burlington with a population of approximately 3,000 city residents.
As part of the American Recovery and Reinvestment Act of 2009 enacted in the wake of the last financial crisis, the U.S. Department of Health and Human Services administered an Electronic Health Records Incentive Program (“EHR”) as part of Medicare and Medicaid to encourage adoption of electronic record systems. To apply for EHR, medical providers must attest their compliance with certain criteria, including patient data security measures and risk reviews. The complaint in this case alleged that Coffey’s certification was knowingly inaccurate, because Coffey was aware of deficiencies in its data security measures, including the lack of security risk reviews. The complaint alleged that Coffey received more than $2 million in EHR payments during the relevant years. The whistleblowers are Coffey’s former chief information officer and former compliance officer.
After a lengthy delay, the U.S. Government intervened in the case on May 23, 2019, leading to the unsealing of this case. This settlement quickly followed a week later. The settlement resolves this complaint without any determination of Coffey’s liability. The case is a reminder that even small rural health providers are not immune from whistleblower actions and government intervention—and that data security obligations are the new frontier for FCA relators.