The DOJ's Quiet Reckoning | False Claims Act & Healthcare Fraud
⚠ ENFORCEMENT ALERT: DOJ FY2025 FCA Recoveries exceed $6.8 Billion — An all-time record. Healthcare accounts for over $5.7B.
tekrisq healthcare security advisory
Active DOJ Enforcement · Updated March 2026

Lincoln's Law Is
Coming for Your Billing

The False Claims Act — the government's most powerful anti-fraud weapon since 1863 — is now targeting healthcare cybersecurity failures, not just billing fraud. If you submit claims to Medicare or Medicaid, this affects you today.

⚖️ The False Claims Act (31 U.S.C. §§ 3729–3733) | 🏥 Healthcare & Business Associates | 📅 FY2025 Record Enforcement
$0
FY2025 Total FCA Recoveries
$0
Healthcare FCA Recoveries FY2025
Treble Damages per Violation
Lincoln's Law — The Basics

What Every Healthcare SMB Must Understand About the False Claims Act

Enacted in 1863 to combat Civil War contractor fraud, the False Claims Act has evolved into the U.S. government's single most effective tool for recovering taxpayer money. In healthcare alone, it has transformed from a billing-fraud statute into a sweeping compliance mandate that now reaches deep into your IT infrastructure.

1863
The False Claims Act is Enacted
President Lincoln signs the Act to combat Civil War profiteers. Nicknames "Lincoln's Law," it introduces the qui tam mechanism allowing private citizens to sue on the government's behalf.
1986
Major Amendments Strengthen the Law
Congress dramatically strengthens whistleblower protections and increases damages to treble (3×). Qui tam filings surge. Healthcare fraud becomes a primary focus.
2009–2010
FERA & ACA Expansions
The Fraud Enforcement and Recovery Act extends liability to "reverse false claims" — knowingly failing to return a government overpayment. Overpayments not returned within 60 days become automatic FCA violations.
2021
DOJ Launches Civil Cyber-Fraud Initiative
A watershed moment: the DOJ announces it will use the FCA to pursue cybersecurity failures by government contractors and grant recipients. Cybersecurity becomes a condition of payment.
2025
All-Time Record: $6.8 Billion Recovered
FY2025 sets an all-time record for FCA recoveries. Healthcare matters alone account for over $5.7 billion. DOJ signals that cybersecurity enforcement is accelerating, not slowing.
Core Liability Standard

The FCA imposes civil liability on anyone who knowingly submits — or causes to be submitted — a false claim for government payment. "Knowing" is defined broadly: actual knowledge, deliberate ignorance, or reckless disregard of the truth. No specific intent to defraud is required. This means an executive who "chose not to ask" about compliance gaps is not shielded from liability.

Financial Consequences at a Glance

3× Damages
Treble Damages
The government can recover up to three times the actual amount fraudulently obtained, plus mandatory civil monetary penalties for each false claim submitted.
15–30%
Whistleblower Reward
Relators (qui tam filers) receive 15–25% if the DOJ intervenes, and up to 30% if they proceed independently. This creates powerful financial incentives for insiders to report.
$2.9B
FY2024 Recovery
FY2024 recovered $2.9 billion. Then FY2025 more than doubled that figure, demonstrating a steep enforcement trajectory that shows no sign of reversing.
⚠ Whistleblower Protection — An Internal Threat Vector

Any employee, contractor, or agent who reports fraud to the government is protected from retaliation. If demoted, harassed, or terminated, they can recover reinstatement, double back pay with interest, and special damages plus attorney's fees. This means a disgruntled IT employee who witnessed a covered-up vulnerability scan has every financial and legal incentive to file a qui tam complaint.

DOJ Civil Cyber-Fraud Initiative

Cybersecurity Is Now a Condition of Payment

In 2021, the DOJ formally declared that cybersecurity compliance failures by healthcare entities receiving federal payments are FCA violations. If you bill Medicare or Medicaid and your security certifications are inaccurate — even if no breach occurred — you may be liable for every single claim you submitted while out of compliance.

The DOJ's theory is straightforward and devastating for unprepared organizations: your annual cybersecurity compliance certification is not a formality — it is a material representation to the government. If the government would not have paid your claims had it known the truth about your security posture, those claims are legally "false" from the moment they were submitted.

The Materiality Test

Under Universal Health Services v. Escobar (2016), a misrepresentation is "material" if it would have influenced the government's payment decision. The DOJ's position is that known, unfixed cybersecurity failures are material — meaning the government would not have paid had it known. Every Medicare claim submitted during a period of non-compliance is potentially a separate false claim.

High-Profile Settlements: Lessons for SMBs

September 2023
$4.1M
Verizon Business
Failed to implement three critical TIC 2.2 controls in its federal Managed Trusted Internet Protocol Service: DNSSEC, full packet capture with 24-hour storage, and FIPS 140-2 encryption standards. The company certified compliance while knowingly failing these requirements.
2024
$306K
AFDS
A smaller settlement that signals no organization is too small to prosecute. AFDS stored unencrypted screenshots containing Medicare beneficiary data — a basic HIPAA encryption failure turned into an FCA violation.
2025
$11.2M
Health Net / Centene
Paid for allegedly submitting false cybersecurity certifications under a military health benefits contract. Demonstrates that managed care organizations and their parent companies face consolidated liability for certification failures.
July 2025
$9.8M
Illumina Inc.
Sold genomic sequencing systems with hard-coded credentials and improper default access controls while falsely certifying ISO and NIST compliance. Personnel were inadequately resourced to identify and fix known vulnerabilities before product delivery.

Five Cybersecurity Obligations the DOJ Enforces

🛡️
1. Accurate Certification of Compliance
Annual certifications of compliance with NIST, HIPAA, and contract-specific security standards must reflect reality. A signed certification that does not match your actual controls is an FCA violation at the moment of submission.
🔍
2. Active Vulnerability Management
Periodic vulnerability scanning and timely patching of known weaknesses — particularly those flagged in CISA's Known Exploited Vulnerabilities (KEV) catalog — are legally required safeguards, not optional best practices.
📡
3. Continuous Network Monitoring
Systems that continuously monitor networks for intrusions and unauthorized access are a required safeguard for entities handling protected health information under government contracts.
🔒
4. Data Encryption of ePHI
Electronic Protected Health Information (ePHI) must be encrypted both at rest and in transit. The AFDS settlement confirmed that even a single unencrypted dataset containing beneficiary information satisfies the DOJ's threshold for action.
📢
5. Timely Breach Reporting
Cybersecurity incidents and data breaches must be reported to HHS, contracting agencies, and (for HIPAA breaches affecting 500+ individuals) publicly — within contractually mandated windows. Silence after a discovered breach is a primary DOJ investigative trigger.
Business Associate Liability — You Are Not Shielded

Healthcare companies must include explicit cybersecurity clauses in all Business Associate Agreements (BAAs) and actively audit vendor compliance. If your billing vendor, EHR provider, or cloud host suffers a breach due to inadequate security, the DOJ may look upstream to the covered entity. In M&A transactions, acquiring firms can face successor liability for the predecessor organization's cybersecurity failures discovered post-acquisition.

NIST SP 800-171 & FCA Enforcement

The Specific Controls DOJ Investigators Look For

In recent FCA settlements — including Verizon, Illumina, and Health Net — the DOJ cited failures against specific NIST SP 800-171 controls. These are the five categories most commonly cited in civil cyber-fraud investigations. If any of the "common failures" described below exist in your environment, you may already be at risk.

Control Category NIST 800-171 Requirement Common Failure
Access Control 3.1.3 CUI Flow Control ⚠ High Risk
Allowing sensitive data (CUI/ePHI) to flow to unauthorized external systems, including unsanctioned cloud storage or third-party apps.
Identification & Authentication 3.5.3 Multi-Factor Authentication ⚠ High Risk
Failing to enforce MFA for local or remote network access — particularly on legacy systems, VPNs, and administrative portals.
Audit & Accountability 3.3.4 Audit Log Failure Alerting ⚠ High Risk
Not logging, monitoring, or reviewing security events in real-time. Log gaps are a primary indicator of concealed breaches during DOJ CID investigations.
Configuration Management 3.4.1 Baseline Configuration ⚠ Critical
Using default vendor credentials, factory settings, or hard-coded passwords in production systems — the exact failure cited in the Illumina and Penn State cases.
System & Info Integrity 3.14.1 Flaw Remediation ⚠ Critical
Failing to identify and patch system flaws within required timeframes — especially CISA emergency directives (e.g., Log4j, Exchange vulnerabilities) while continuing to bill federal payers.

Note: While the Verizon settlement specifically cited TIC 2.2 architecture failures (DNSSEC, full packet capture, FIPS 140-2 encryption), and Illumina was cited for System and Services Acquisition (SA) and Incident Response (IR) failures, the five NIST controls above represent the baseline enforcement floor that DOJ investigators expect all healthcare entities handling federal data to demonstrate.

DOJ Investigation Triggers

The 5 Red Flags That Put You in the DOJ's Crosshairs

When a whistleblower files a qui tam complaint under the Civil Cyber-Fraud Initiative, the DOJ screens it against a framework of "material" failures. These are the five patterns that most reliably escalate a complaint into a formal DOJ investigation — and ultimately an FCA settlement or judgment. Click each to expand.

1
"Paper Compliance" vs. Reality
This is the most common DOJ enforcement trigger. The organization maintains a System Security Plan (SSP) or HIPAA risk assessment that documents perfect controls on paper — but internal audits, employee communications, or forensic evidence reveals the controls were never implemented.
Real-World Example Claiming 100% MFA coverage in your annual certification while knowing that dozens of legacy EHR terminals and remote access pathways use single-password authentication. The DOJ compares your certification against your identity provider logs — and they will find the gap.
2
Disregard for Internal Warnings
The DOJ specifically searches for a "paper trail of protest." If your CISO, IT Manager, or compliance officer flagged a vulnerability in emails, Slack messages, budget requests, or board meeting minutes — and leadership chose to defer it — that establishes the "knowing" or "reckless disregard" element required for FCA liability. This is the single most damaging evidence pattern.
The DOJ Seeks Slack/Teams logs between IT staff discussing unresolved vulnerabilities. Internal budget requests for security tools that were denied. CISO memos warning about unpatched systems that were filed away and ignored.
3
Hard-Coded or Default Credentials
The presence of hard-coded "admin" passwords, factory-default credentials left unchanged, or vendor-installed backdoor accounts is treated by the DOJ as evidence of "reckless disregard" for basic security hygiene. The Illumina settlement (2025) was built substantially on this finding. Any compliance certification submitted while these conditions existed is, in the DOJ's view, inherently false.
SMB Exposure Point Many small healthcare practices use medical IoT devices (infusion pumps, imaging equipment, telehealth platforms) that ship with default credentials. If these devices are networked and touch your billing systems, you carry FCA exposure.
4
Failure to Patch "Known" Critical Vulnerabilities
When CISA issues an emergency directive mandating a patch — and your organization continues billing Medicare or Medicaid without patching — the DOJ views this as a breach of the implicit certification that your systems meet security standards. The "knowingness" is clear: CISA published the directive publicly, so ignorance is not a defense.
High-Risk Examples Failure to apply Log4j mitigations (CVE-2021-44228), unpatched Microsoft Exchange vulnerabilities, or any critical CVE listed in CISA's Known Exploited Vulnerabilities catalog while simultaneously billing federal health programs.
5
Inadequate Incident Response & "Silent" Breaches
The DOJ is acutely suspicious of organizations that suffer a data breach, remediate it internally, and never notify federal agencies. If a whistleblower can prove that the organization knew about an intrusion and deliberately chose not to report it — particularly if billing continued during the concealment period — the FCA exposure is compounded by the breach itself and the duration of continued billing.
The 72-Hour Rule Federal contractors are typically required to report cybersecurity incidents within 72 hours. HIPAA requires breach notification of HHS and affected individuals. A "quiet clean-up" that avoids these obligations, when later exposed through a whistleblower or forensic investigation, presents the most severe FCA liability scenario.
🔎 How the DOJ Investigates: Civil Investigative Demands (CIDs)

The DOJ issues Civil Investigative Demands to seize: Slack/Teams communication logs between IT staff discussing vulnerabilities; prior audit reports (SOC 2, HITRUST, penetration tests) that may have been suppressed or misrepresented; and critically — cyber insurance applications, where companies typically provide more accurate (and often contradictory) security disclosures than in their government certifications. The DOJ specifically compares your insurance application against your government certifications to identify discrepancies.

Your Defensive Posture

Building Your "Defensive File" Against DOJ Investigation

The DOJ evaluates whether your cybersecurity certifications were objectively reasonable at the time they were made. The best defense is not perfection — it is a documented, audit-ready evidence trail demonstrating good-faith compliance efforts. Use the checklist below to assess your organization's readiness.

Compliance Readiness 0 of 20 items completed
System Security Plan (SSP) — Updated within 12 months
A living document mapping every NIST control to your actual implementation. A 3-year-old SSP is a major red flag to investigators.
Plan of Action & Milestones (POA&M) — Actively maintained
An honest, documented list of security gaps with specific remediation timelines and budget allocations. The DOJ views a candid POA&M as evidence of good faith; hiding gaps is evidence of fraud.
Complete Information Asset Inventory
A current inventory of all hardware, software, and IoT/medical devices connected to your network — especially anything that touches billing or patient data systems.
Annual HIPAA Risk Assessment Documented
Formal, signed, and dated risk assessment covering all ePHI data flows — conducted by qualified personnel or an independent third party.
MFA Enforcement Logs from Identity Provider
Exportable reports from Okta, Duo, Azure AD, or equivalent proving MFA is enforced across the entire enterprise — especially for remote access, admin portals, and EHR systems.
Patch Management Records — CVE timeline documented
Evidence that Critical and High CVEs are patched within contract-required timelines. Cross-reference CISA's KEV catalog to confirm no active exploits were left unmitigated.
Immutable SIEM Audit Logs — Tamper-resistant storage
Logs stored in a manner that prevents modification (e.g., write-once storage, cloud log archiving). Investigators will assess whether log gaps are accidental or deliberate.
Encryption Verified for All ePHI at Rest and in Transit
Documentation confirming AES-256 (or equivalent) encryption for stored ePHI and TLS 1.2+ for all data in transit — including backup media, portable drives, and cloud storage.
Default/Hard-Coded Credential Audit Completed
A formal scan and remediation confirming no production systems, medical devices, or network equipment use vendor-default or hard-coded credentials.
Board & Executive Cybersecurity Briefing Minutes
Documented evidence that leadership was briefed on cybersecurity risks — demonstrating the absence of "deliberate ignorance" and an engaged governance posture.
Annual Security Awareness Training Records
Completion certificates and phishing simulation results for all employees handling government data or patient information — with attestation signatures.
Internal Whistleblower Policy & Anonymous Hotline
A documented, accessible channel for employees to report security concerns internally — with evidence that reports are investigated, not suppressed. This demonstrates good faith and may reduce DOJ penalties if issues are self-reported.
Communication Policy for Sensitive Security Discussions
A written policy ensuring that security vulnerability discussions are properly documented in formal channels — not merely in informal Slack threads where context may be misinterpreted during a CID review.
Updated Business Associate Agreements (BAAs) with Cybersecurity Riders
Every vendor touching PHI must have a current BAA that includes specific cybersecurity obligations, incident reporting timelines, and right-to-audit clauses.
Third-Party Audit Reports — SOC 2 Type II or HITRUST
Current (within 12 months) independent audit results for your organization and, where possible, for critical vendors. These provide objective evidence of compliance posture.
Cyber Liability Insurance Policy — Consistent with Certifications
Active cyber insurance with coverage adequate for your government contract exposure. Critical: Your application must be consistent with your government certifications — discrepancies are a primary DOJ investigative tool.
M&A Cybersecurity Due Diligence Documentation
If you have acquired any entity, documented evidence that you conducted a cybersecurity assessment prior to or immediately after closing — to establish awareness of and response to any predecessor compliance gaps.
Written Incident Response Plan (IRP) with Federal Notification Steps
A formal IRP that specifically identifies the 72-hour notification obligation to relevant federal agencies (HHS, contracting agency, CISA) with designated responsible personnel and escalation paths.
Annual Tabletop Exercise Reports
Documented summaries of annual "war game" simulations where your team practiced responding to a ransomware attack or data breach — with lessons learned and remediation actions taken.
Breach Notification Records — All Prior Incidents Documented
A complete, searchable log of every security incident, near-miss, and breach notification — demonstrating a consistent pattern of timely, good-faith reporting.
FCA TEKCHEK

FCA TEKCHEK: Your Exposure Profile

Answer these five questions honestly. This tool is a starting point for reflection — not legal advice. If your results indicate elevated risk, consult a qualified healthcare compliance attorney or cybersecurity advisor immediately.

FCA TEKCHEK — Your Organization's Risk Profile

Select the answer that most accurately describes your current situation.

1. When was your System Security Plan (SSP) or HIPAA Risk Assessment last formally updated and signed?
2. Is Multi-Factor Authentication (MFA) enforced for ALL remote access, administrative portals, and EHR system logins?
3. Has your organization experienced a security incident in the last 24 months that was NOT reported to HHS or your federal contracting agency?
4. When CISA issues an emergency patch directive for a critical vulnerability, how quickly does your organization typically remediate?
5. If a current or former employee with IT access filed a whistleblower complaint today, how confident are you in your documented compliance evidence?

Don't Wait for a Civil Investigative Demand

The DOJ doesn't announce investigations in advance. By the time you receive a CID, your Slack logs, audit reports, and insurance applications are already being compared against your government certifications. The time to build your defensive file is now.

Review Recommendations

Security & Compliance Advisor for Healthcare SMBs

This publication is intended for general informational and educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. The False Claims Act enforcement landscape evolves rapidly. Healthcare providers and business associates should consult qualified healthcare compliance counsel regarding their specific obligations.

References: 31 U.S.C. §§ 3729–3733 · DOJ FY2025 FCA Statistics · DOJ Civil Cyber-Fraud Initiative (Oct. 2021) · NIST SP 800-171 Rev. 2 · CISA Known Exploited Vulnerabilities Catalog · Universal Health Services v. United States ex rel. Escobar, 579 U.S. 176 (2016)

Updated March 2026 · For SMB Healthcare Providers & Business Associates