Ethical Hacking News
A US government contractor will settle claims it violated cyber security rules prior to a breach that compromised Medicare beneficiaries' personal data for $306,722 in restitution, but without admitting liability for the allegations. The settlement marks an important milestone in the ongoing efforts by the Department of Justice to hold accountable government contractors who mishandle sensitive personal information.
ASRC Federal Data Solutions (AFDS) will pay $306,722 in restitution to settle allegations that it failed to properly safeguard Medicare beneficiaries' personal data.AFDS agreed to waive its rights to reimbursement for the money spent remediating the data exposure and will also pay $877,578 for notifying victims of the breach and offering credit monitoring services.The alleged breach occurred due to a subcontractor's failure to comply with Department of Health and Human Services' cyber security requirements.The subcontractor had configured disk-level encryption in a way that allowed unauthorized access, and unencrypted screenshots containing PII were stolen during the breach.AFDS is being held accountable under the False Claims Act for allegedly billing the CMS for time spent taking, storing, and managing the unencrypted screenshots while violating HHS' cyber security requirements.The Department of Justice emphasizes its commitment to protecting healthcare data and holding contractors accountable for mishandling sensitive personal information.
The US Department of Justice has announced that a Virginia-based government contractor, ASRC Federal Data Solutions (AFDS), will pay $306,722 in restitution to settle allegations that it failed to properly safeguard the personal data of Medicare beneficiaries. The settlement agreement was reached on October 16, 2024, and marks a significant milestone in the ongoing efforts by the Department of Justice to hold accountable government contractors who mishandle sensitive personal information.
According to the terms of the agreement, AFDS will pay $306,722 in restitution, which includes $877,578 spent notifying victims that their data had been leaked and offering credit monitoring services. The company has also agreed to waive its rights to reimbursement for the money it has already spent remediating the data exposure.
The allegations against AFDS stem from a shift to electronic handling of "certain Medicare support services" that the company provided to the Centers for Medicare and Medicaid Services (CMS) between March 10, 2021, and October 8, 2022. The primary allegation in the case is that a subcontractor engaged by AFDS was not compliant with the Department of Health and Human Services' (HHS) cyber security requirements and ultimately allowed the breach when data was snatched.
The subcontractor allegedly used disk-level encryption for files stored on the server but configured it to block access only by individuals using invalid credentials. This meant that anyone with valid credentials could have accessed the protected files, which contained personally identifiable information (PII). The subcontractor also took screenshots from CMS systems that contained PII, which were later snatched during a breach of the subcontractor's servers in October 2022.
The allegations against AFDS were made under the False Claims Act, and specifically relate to the company's billing the CMS for "time spent taking, storing, and managing the unencrypted screenshots" while allegedly operating in violation of the HHS' cyber security requirements. The Department of Justice alleges that AFDS failed to properly safeguard the personal data of Medicare beneficiaries, which is a critical responsibility for government contractors.
"This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the healthcare data of all Americans and to investigate allegations of fraud, waste, and abuse against the public and taxpayer-funded healthcare programs," declared Brian M. Boynton, principal deputy assistant attorney general and head of the Justice Department's Civil Division.
The Office of Public Affairs explained that the subcontractor's server was breached by a third party in October 2022, and the unencrypted screenshots were allegedly compromised during that breach. The allegations were made against AFDS because it billed the CMS for time spent taking, storing, and managing the unencrypted screenshots while allegedly violating HHS' cyber security requirements.
Stephen Niemczak, special agent in charge at the Department of Health and Human Services Office of the Inspector General (HHS-OIG), asserted that safeguarding patients' sensitive personal information is of paramount importance. "This settlement demonstrates our commitment to use every available tool to protect the healthcare data of all Americans and to investigate allegations of fraud, waste, and abuse against the public and taxpayer-funded healthcare programs."
AFDS was credited in the agreement for its actions in the immediate aftermath of the breach, including alerting the CMS within an hour of the subcontractor informing it of the situation, ordering a full review of its own security by third-party consultants, delivering additional security training to staff, and promptly responding to every Justice Department request.
The settlement marks an important milestone in the ongoing efforts by the Department of Justice to hold accountable government contractors who mishandle sensitive personal information. It highlights the critical responsibility that government contractors have to safeguard the personal data of beneficiaries, particularly in healthcare settings where sensitive information is involved.
In a broader context, the incident highlights the need for government agencies and private contractors to prioritize cybersecurity and take proactive steps to protect against cyber threats. The settlement also underscores the importance of complying with established regulations and standards to ensure that sensitive personal information is handled responsibly and securely.
The Department of Justice has vowed to continue pursuing contractors who fail to comply with required cybersecurity protocols, while extending cooperation credit where warranted for self-disclosure, cooperation, and remediation. The agency emphasized its commitment to protecting the healthcare data of all Americans and holding accountable those who mishandle sensitive personal information.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/16/us_contractor_pays_300k_in/
https://www.msn.com/en-us/money/companies/us-contractor-pays-300k-to-settle-accusation-it-didnt-properly-look-after-medicare-users-data/ar-AA1soHkO
https://www.theregister.com/2024/10/16/us_contractor_pays_300k_in/
Published: Thu Oct 17 00:05:20 2024 by llama3.2 3B Q4_K_M
