Cybersecurity Failures and Liability for Health Care Organizations: A New Enforcement Frontier

Chief Healthcare Executive

False Claims Act Investigations & Litigation attorneys Jacques Smith, Pat Naples, and John Keblish authored a piece for Chief Healthcare Executive on the key regulatory developments and emerging areas of risk in cybersecurity-specific False Claims Act (FCA) settlements.

Health care organizations are facing a particularly challenging regulatory environment, with the growth of FCA investigations involving cybersecurity accelerating over the last five years. In 2021, the US Department of Justice launched its Civil Cyber-Fraud Initiative designed to pursue entities that knowingly provided deficient cybersecurity products or services, misrepresented their cybersecurity practices, or violated obligations to monitor and report cybersecurity incidents.

Additional federal initiatives from the US Food and Drug Administration and the US Department of Health and Human Services have both increased regulatory requirements and heightened enforcement. In 2025, cybersecurity-specific FCA settlements totaled over $50 million.

Practical Takeaways

Federal certification demands compliance. If your organization submits compliance certifications to obtain federal health care funds, or transacts with organizations who do so, the federal government expects robust compliance with cybersecurity standards.
Breaches and attacks are to be expected. Healthcare organizations can no longer point the finger solely at “bad guys” targeting their systems. The federal government expects organizations to anticipate these attacks and institute proper defense mechanisms.

Emerging Areas of Risk

Telehealth and remote patient monitoring. Post-pandemic telehealth expansion created new cybersecurity vulnerabilities. The Justice Department has already pursued telehealth enforcement actions for traditional fraud; cybersecurity failures may compound these theories.
AI and algorithmic vulnerabilities. Artificial intelligence (AI) systems deployed for diagnosis, coding, and claims submission present cybersecurity vulnerabilities and fraud risks if they generate false or inflated claims.
Private equity and investor liability. Private equity firms should assess portfolio company cybersecurity compliance as potential False Claims Act liability during due diligence.
Managed care and Medicare Advantage. Medicare Advantage plans certify Centers for Medicare & Medicaid Services cybersecurity compliance, and risk adjustment data integrity intersects with cybersecurity when systems are vulnerable to manipulation.

Read the full article at Chief Healthcare Executive.