US contractor pays $300K to settle accusation it didn't properly look after Medicare users' data

A US government contractor will settle claims it violated cyber security rules prior to a breach that compromised Medicare beneficiaries' personal data.

Virginia-based ASRC Federal Data Solutions (AFDS) signed a deal with the Justice Department this week agreeing to pay $306,722 in restitution, but without admitting liability for the allegations.

AFDS also agreed to waive rights to reimbursement for the money it already spent remediating the data exposure. This includes the $877,578 spent notifying victims that their data had been leaked and offering credit monitoring.

"Government contractors that handle personal information must take required steps to safeguard that information from cyber attacks," declared Brian M Boynton, principal deputy assistant attorney general and head of the Justice Department's Civil Division. 

"We will vigilantly pursue contractors that fail to comply with required cyber security protocols, while at the same time extending cooperation credit where warranted for self-disclosure, cooperation, and remediation."

The allegations concern a shift to the electronic handling of "certain Medicare support services" that AFDS provided to the Centers for Medicare and Medicaid Services (CMS), specifically between March 10, 2021, and October 8, 2022. Previously handled in person using hard copies of documents, the shift to electronic record-keeping was made during the COVID-19 pandemic.

The primary allegation in the case was that a subcontractor engaged by AFDS, whose servers were used to carry out the electronic task, wasn't compliant with the Department of Health and Human Services' (HHS) cyber security requirements and ultimately allowed the break-in when data was snatched.

According to the settlement agreement [PDF], the subcontractor used disk-level encryption for files stored on the server but it was only configured to block access by those using invalid credentials. Anyone with valid credentials could have accessed the protected files.

During the specified timeframe, the subcontractor allegedly took screenshots from CMS systems that contained personally identifiable information (PII). These screenshot files weren't encrypted individually and were later accessed by an unauthorized third party who was using valid credentials.

"The subcontractor's server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach," explained the Office of Public Affairs.

The allegations were made by the US under the False Claims Act, and specifically relate to AFDS billing the CMS for "time spent taking, storing, and managing the unencrypted screenshots" – all while operating in alleged violation of the HHS's cyber security requirements.

"Safeguarding patients' sensitive personal information is of paramount importance," asserted Stephen Niemczak, special agent in charge at the Department of Health and Human Services Office of the Inspector General (HHS-OIG). 

• Apple's latest macOS release is breaking security software, network connections
• GPT apps fail to disclose data collection, study finds
• That cyber-heist of 2.9B personal records? There's a class-action lawsuit looming for that
• UK's Total Fitness exposed nearly 500K images of members, staff through unprotected database

"This settlement demonstrates the commitment by HHS-OIG and our law enforcement partners to use every available tool to protect the healthcare data of all Americans and to investigate allegations of fraud, waste, and abuse against the public and taxpayer-funded healthcare programs."

AFDS was credited in the agreement for its actions in the immediate aftermath of the breach, and the weeks that followed. 

It was said to have alerted the CMS within an hour of the subcontractor informing it of the situation, ordered a full review of its own security by third-party consultants, delivered additional security training to staff, and promptly responded to every Justice Department request. ®