Cybersecurity failures and liability for healthcare organizations: A new enforcement frontier

Healthcare organizations have long understood cybersecurity solely as a regulatory compliance obligation, or as a matter of HIPAA audits, breach notifications, and IT governance.

No more.

In 2025, cybersecurity-specific False Claims Act (FCA) settlements totaled over $50 million. Below, we survey the history of enforcement at the intersection of cybersecurity and healthcare, key regulatory developments, practical takeaways, and emerging areas of risk.

History of fraud enforcement in cybersecurity and healthcare

In 2019, Cisco Systems agreed to pay $8.6 million in civil damages to settle claims that it sold video surveillance technology with known security flaws to several government agencies, marking the first False Claims Act payment involving cybersecurity vulnerabilities.

Two years later, the Department of Justice launched its Civil Cyber-Fraud Initiative, signaling it would use the False Claims Act to pursue entities that knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices, or violate obligations to monitor and report cybersecurity incidents. That same year, the Justice Department announced a $930,000 settlement with Comprehensive Health Services LLC for failing to use a secure system to store confidential patient medical records.

In 2023 and 2024, the Justice Department notched additional settlements arising from cybersecurity failures, including $293,771 associated with Florida's Medicaid enrollment website, $306,722 related to unsecured Medicare beneficiary data, and $2.7 million for COVID-19 contact tracing data.

Regulatory developments

Increased cybersecurity regulatory requirements have combined with heightened enforcement to create a particularly challenging environment for healthcare organizations.

In 2023, the FDA issued guidance requiring premarket submissions to include comprehensive cybersecurity documentation, and the Consolidated Appropriations Act of 2023 clarified that manufacturers certifying FDA compliance face False Claims Act exposure if those certifications are false.

In October 2024, the U.S. Department of Health & Human Services’ Office for Civil Rights announced its "Risk Analysis Initiative" focused on enforcing HIPAA Security Rule requirements. Bryan County Ambulance Authority paid $90,000 to resolve an investigation into its failure to conduct a compliant ePHI risk assessment, the health department said. Late that year, the Centers for Medicare & Medicaid Services proposed modifications to the HIPAA Security Rule to strengthen cybersecurity requirements, and conditions of participation increasingly incorporate cybersecurity elements.

Cybersecurity enforcement in 2025

Settlements in 2025 made prior years surpassed previous deals.

Aero Turbine, Inc. and Gallant Capital Partners, LLC agreed to pay $1.75 million to settle alleged cybersecurity failures in connection with an Air Force contract, the Justice Department said. Health Net paid $11.2 million to resolve allegations that it falsely certified compliance with TRICARE managed care contract cybersecurity requirements.

The Justice Department said Illumina Inc. agreed to pay $9.8 million to resolve allegations that it violated the False Claims Act when it sold genomic sequencing systems with cybersecurity vulnerabilities to federal agencies.

The Office of Civil Rights also announced settlements of $90,000, $80,000, and $10,000 with health care organizations for cybersecurity breaches and ransomware attacks.

Practical takeaways

Federal certification demands compliance. If your organization submits compliance certifications to obtain federal health care funds, or transacts with organizations who do so, the federal government expects robust compliance with cybersecurity standards.

Breaches and attacks are to be expected. Healthcare organizations can no longer point the finger solely at "bad guys" targeting their systems. The federal government expects organizations to anticipate these attacks and institute proper defense mechanisms.

Emerging areas of risk

Telehealth and remote patient monitoring. Post-pandemic telehealth expansion created new cybersecurity vulnerabilities. The Justice Department has already pursued telehealth enforcement actions for traditional fraud; cybersecurity failures may compound these theories.

AI and algorithmic vulnerabilities. AI systems deployed for diagnosis, coding, and claims submission present cybersecurity vulnerabilities and fraud risks if they generate false or inflated claims.

Private equity and investor liability. Private equity firms should assess portfolio company cybersecurity compliance as potential False Claims Act liability during due diligence.

Managed care and Medicare Advantage. Medicare Advantage plans certify CMS cybersecurity compliance, and risk adjustment data integrity intersects with cybersecurity when systems are vulnerable to manipulation.

Conclusion

Healthcare organizations should treat cybersecurity compliance as a fraud prevention imperative, not merely an IT function.

Boards and executives should ensure programs are adequately resourced, internal audits are taken seriously, and employee concerns about vulnerabilities receive prompt attention.

Organizations should review their federal certifications for accuracy and consider engaging counsel to assess potential False Claims Act exposure before regulators or whistleblowers act.

D. Jacques Smith is a partner and investigation practice leader at ArentFox Schiff. Pascal F. Naples is a senior associate at ArentFox Schiff. John Keblish is an associate at ArentFox Schiff.