This month, the Department of Justice (DOJ) announced two separate False Claims Act (FCA) settlements against major U.S. airlines.

On July 1, the DOJ announced that Air France and KLM had agreed to pay $3.9 Million to resolve allegations that they violated the FCA by "falsely reporting information about the transfer of U.S. mail to foreign posts or other intended recipients under contracts with the U.S. Postal Service." Specifically, the Postal Service contracted with Air France and KLM "to take possession of receptacles of U.S. mail at six locations in the United States or at various Department of Defense and State Department locations abroad, and then deliver that mail to numerous international and domestic destinations." According to the DOJ's press release, in order for the airlines to obtain payment under the contracts, they were required to submit electronic scans of the mail receptacles to the Postal Service. The settlement resolves allegations that scans submitted by the airlines falsely reported the time and fact that they transferred possession of the mail. On July 7, the DOJ announced that Delta Airlines had agreed to pay $10.5 Million to resolve similar allegations.

Although the vast majority of FCA activity is typically within the healthcare industry, these cases serve as a crucial reminder that any company or individual submitting claims to the federal government for payment or reimbursement are subject to the FCA, including its per-claim penalties and treble damages.

Jason Nielsen, a shareholder of Arrayit Corporation, pleaded guilty to one count of securities fraud for his role in manipulating the company’s stock prices to defraud investors. Arrayit is a California-based biotech company that provides innovative medical devices including healthcare testing. Nielsen, of Scotts Valley, admitted that he engaged in “spoofing” and “scalping” from approximately 2019 through April 2020.

Nielsen is not the first individual accused of illegal activity in connection with Arrayit. In May 2021, a federal grand jury handed down a superseding indictment against Arrayit’s president, Mark Schena. It is alleged that Schena submitted over $70 million in false claims for allergy and COVID-19 testing. According to the superseding indictment, he also engaged in a scheme to defraud Arrayit’s investors by artificially inflating the share prices of Arrayit securities and exaggerating the company’s status and influence. Schena allegedly claimed that their laboratory was the “only laboratory in the world” that offered microarray technology allowing Arrayit to test for allergies and COVID-19 with a drop of blood 250,000 times smaller than what was required for Theranos’ technology. Schena also touted partnerships with Fortune 500 companies that did not exist.

Lazaro Hernandez, of Miami, was charged with conspiracy to deliver into interstate commerce adulterated and misbranded drugs, conspiracy to traffic in medical products with false documentation, conspiracy to commit money laundering, and specific money laundering offenses. It is alleged that Hernandez, along with his co-conspirators, illegally distributed misbranded and adulterated HIV prescription drugs to unknowing patients.

According to the indictment, Hernandez illegally obtained large quantities of HIV medication and created false labeling, along with supporting false documentation, to make the medications appear to be legitimate. The medications were allegedly obtained through fraud, cargo thefts, and pharmacy burglaries. Hernandez and his co-conspirators allegedly created wholesale drug distribution companies in Florida, New Jersey, Connecticut, and New York, and sold the adulterated medications at a discounted price to co-conspirators at pharmaceutical companies in Mississippi, Maryland, and New York. In turn, these wholesale pharmaceutical companies resold the adulterated drugs to pharmacies throughout the country. From 2019 to 2021, Hernandez and his co-conspirators are alleged to have profited more than $230 million for distributing adulterated drugs. In addition to unsuspecting patients receiving adulterated and misbranded medication, health insurers were billed for the prescriptions. It is alleged that Hernandez laundered his proceeds through several corporations in Miami.

Hernandez is not the first to be charged in connection with this nationwide scheme. In 2019, two pharmaceutical company CEOs and two bank account holders were indicted on several charges, including mail fraud and committing violations of the Federal Food, Drug, and Cosmetic Act. Like Hernandez, these defendants were alleged to have distributed illegally acquired and misbranded medical drugs to unsuspecting pharmacies and patients. In addition to HIV medication, the foregoing defendants also distributed medications used for the treatment of cancer and various mental illnesses. The 2019 case now has 15 defendants, including Hernandez. Along with the individual charges outlined above, the grand jury returned a third superseding indictment which added Hernandez and Eladio Vega to the 2019 case. Hernandez faces more than 100 years in prison if convicted of all counts. To date, eight defendants have entered guilty pleas.

In 2020, the Georgia General Assembly proposed a constitutional amendment that would allow Georgians to more easily challenge the constitutionality of state laws and actions. The amendment, which voters overwhelmingly supported, waived sovereign immunity (otherwise shielding the government from being sued) for lawsuits that seek to have a court declare a law unconstitutional or prevent unlawful conduct by government officials. Previous attempts at waiving sovereign immunity had been vetoed by both Governors Nathan Deal and Brian Kemp, but, as we pointed out in an earlier post, constitutional amendments cannot be vetoed.

In March of this year, two companies filed a lawsuit against the State of Georgia and Gwinnett County District Attorney (DA) Patsy Austin-Gatson, who had been aggressively pursuing stores that sell Delta-8 THC products, considered by the DA to be illegal. The companies, which sell Delta-8, contend that their products are legal and asked the court to intervene and stop the raids and seizures that they contend are unlawful. The legality of Delta-8, a substance derived from hemp which can provide a high arguably similar to marijuana, remains unsettled. However, in April, a Fulton County Superior Court judge issued an order in the companies’ lawsuit ordering the DA to cease any enforcement measures concerning Delta-8 until the allegations raised in the lawsuit could be fully addressed.

The Georgia Attorney General (AG) appealed the ruling to the Georgia Supreme Court, arguing that the two companies had not properly brought the lawsuit pursuant to the new constitutional amendment waiving sovereign immunity and that the lawsuit should consequentially be dismissed. Specifically, the AG argued that the DA herself could not be individually named as a defendant for the waiver to apply and the lawsuit to proceed. The Georgia Supreme Court has decided to hear the appeal and will therefore have an opportunity to provide an interpretation of law and instruction on the new constitutional amendment and sovereign immunity.

Hanging in the balance will be the legality of Delta-8 in Georgia given that the Fulton County Superior Court had temporarily allowed the sale of Delta-8 to continue unimpeded in the state “while this case is pending.” The AG’s Office and the companies that brought the lawsuit will both be submitting briefs to the Georgia Supreme Court later this summer with a decision likely to follow fairly soon after.

Shields Health Care Group, Inc. (Shields), a family-owned and operated medical provider group based in Quincy, Massachusetts, reported a cyber breach to the U.S. Department of Health and Human Services. The group has been around for 50 years and has over 30 facilities throughout New England. It offers MRI, PET/CT, and outpatient surgical services, according to its website. Its services include management and imaging services on behalf of numerous health care facilities and business associates of covered entities. According to the HHS’ Breach Portal, Shields reported that 2,000,000 individuals were possibly affected by the cyber breach.

Shields posted a notice to its website explaining the breach and the actions affected individuals can take. According to the notice, on March 28, 2022, Shields was alerted to suspicious activity potentially involving compromised data. Shields worked with subject matter specialists to perform an investigation. The investigation determined that an unknown actor accessed some of Shields’ systems from March 7, 2022 to March 21, 2022. Shields notes that its investigation determined that certain information was acquired or exfiltrated by the unknown actor while it had access to Shields’ system. The data compromised includes names, social security numbers, dates of birth, provider information, diagnoses, patient ID’s, and other sensitive information, including medical or treatment information. According to the notice on its website, Shields has no evidence to indicate that the information exposed or acquired was used to commit theft or fraud. Shields also “took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.”

Cyber breaches, especially in the health care industry, will continue to plague companies of all sizes. Chilivis Grubman attorneys routinely discuss cyber-related developments. In May 2022, CG attorneys discussed the ARcare data breach that potentially affected over 345,000 individuals. Cyber-related incidents are showing no signs of a decline. In January 2022, CG attorneys discussed the HIPAA Journal’s December 2021 Healthcare Data Breach Report, which indicated there were 70 more data breaches in the healthcare industry in 2021 than in 2020.

Cyber threats are here to stay. Companies in all industries, especially those handling and storing sensitive personal data, should try to safeguard data, ensure proper employee training, and develop a breach response process that is tested, rehearsed, and updated.

On June 2, a Georgia federal judge ruled in the government’s favor, against Middle Georgia Family Rehab in a case involving allegedly false claims submitted to TRICARE and Medicaid. The court ordered the rehab facility to pay $9.6 million under the FCA for allegedly submitting hundreds of false claims to government healthcare programs. Serving as the finder of fact, the judge had previously granted partial summary judgment against the rehab facility, finding that the facility had submitted approximately 800 false claims for services to TRICARE and Medicaid.

The government alleged that the rehab facility had submitted claims for physical therapy and speech therapy under the names of a physical therapist and speech therapist who were no longer working for the facility. The court agreed, finding that the services could not have been rendered by the individuals under whose names the claims had been submitted, and the facility displayed a reckless disregard for the truth in submitting the claims over an eight-month period. Specifically, the Court found that MGFR’s submission of almost 800 claims to Medicaid and TRICARE over an eight-month period following the resignation of one physical therapist and 41 claims following the resignation of a speech therapist could not be characterized as an “honest mistake” and instead “epitomizes ‘reckless disregard’ of the truth.”

The $9.6 million to be paid consists of both damages to the government and per violation penalties for each false claim submitted to the government. This significant award demonstrates how FCA damages can quickly compound the actual amount received from the government payor into a far larger number.

On June 10, Theresa Pickering -- a former physician 's assistant -- was indicted in connection with alleged health care fraud, identity theft, and illegal distribution of controlled substances. The government alleges that Pickering is not a licensed physician’s assistant in Georgia and has not been licensed in any state since March 2014. Despite her lack of licensure, the government alleges that Pickering obtained a physician’s assistant position at a family medicine practice. The government alleges that Pickering, who had previously been convicted of fraud, put patient safety at risk for her own gain by holding herself out as a licensed physician’s assistant knowing that she was not, in fact, licensed.

The government alleges that, without proper licensure and authorization, Pickering treated patients, ordered tests, and prescribed drugs, including controlled substances. Pickering allegedly did so despite being excluded from participation in federal health care programs. Pickering also allegedly prescribed controlled substances in the name of a physician without that physician’s permission. This allegedly led to the submission of $147,000 in fraudulent claims for reimbursement to federal health care programs and private insurance. Pickering has been arraigned on the charges, which are only unproven allegations at this time.

This case demonstrates the importance of having a robust internal compliance program, which includes confirming whether new hires have ever been excluded from participating in federal health care programs or faced other discipline.

On May 31, the Securities and Exchange Commission announced that it had charged SCWorx Corp. and its former Chief Executive Officer with making false and misleading statements about SCWorx’s plans to distribute COVID-19 rapid test kits in April 2020. The SEC alleges that, in order to overcome financial difficulties, SCWorx announced in a press release that it had a “committed purchase order” for two million rapid COVID tests. However, that statement was allegedly false because SCWorx did not have a supplier for the test kits or an executed purchase agreement with any buyer. On top of the original order for 2 million rapid tests, SCWorx allegedly stated that the purchase order included a “provision for additional weekly orders of 2 million units for 23 weeks, valued at $35M [million] per week.” Following the press release, SCWorx stock rose 425% in price. Because of the lack of information in the market concerning SCWorx, the SEC suspended trading in the company’s stocks between April 21, 2020, and May 5, 2020.

Fraud in connection with the COVID-19 pandemic has long been a focus of the federal government. SCWorx and the former CEO are charged with violating the antifraud provisions of the federal securities laws, and the complaint seeks injunctive relief, disgorgement, and civil penalties. SCWorx has agreed to a settlement with the SEC, but it neither admits nor denies the allegations. The settlement calls for a $125,000 penalty and $471,000 in disgorgement with prejudgment interest of $32,761.56. The U.S. Attorney’s Office for the District of New Jersey announced that it had brought criminal charges against the former CEO in a parallel action.

On May 31, the DOJ announced that a federal jury convicted Hieu “Tom” Truong, a pharmacist in Houston, Texas, for unlawfully distributing controlled substances.

According to court documents, Truong was the pharmacist-in-charge of S&S Pharmacy in Houston. Prosecutors presented evidence at trial showing that over a span of 18 months, Truong and his co-conspirators unlawfully distributed over 750,000 doses of controlled substances, including over 500,000 oxycodone and hydrocodone pills. Trial evidence also revealed that S&S Pharmacy filled forged or stolen prescriptions brought in by “street-level drug dealers” in exchange for cash payments.

Truong was convicted of three counts of unlawfully distributing and dispensing controlled substances. He faces a maximum penalty of up to 60 years in prison, and in scheduled to be sentenced on October 3. Seven other co-conspirators, including the owner and manager of the pharmacy, pleaded guilty to unlawfully distributing controlled substances.

On June 1, a federal grand jury returned an indictment charging Pawel Bartoszek, a Lake Grove, New York businessman, with filing false business and individual tax returns with the IRS.

Bartoszek owned and operated Mega State Inc., a construction company. According to the indictment, Bartoszek and individuals acting at his direction purportedly cashed more than $6 million in checks from Mega State clients at a check-cashing business, instead of depositing those funds into Mega State’s business bank account. Bartoszek then allegedly used some of this cash to fund an “off the books” cash payroll for Mega State. The government also accused Bartoszek of failing to inform his return preparer about the cashed checks, enabling him to underreport his company’s income as well as his personal total income. As a result, Bartoszek allegedly filed false tax returns with the IRS for Mega State and himself.

Federal prosecutors charged Bartoszek with six counts of filing a false tax return. If convicted, Bartoszek faces a maximum of eighteen years in prison.

The DOJ also announced the arrest of Kateline Lavache of Hampton, GA on June 1, on criminal charges related to her alleged scheme to defraud Medicare. Lavache is accused of prescribing medically unnecessary durable medical equipment (DME), which her co-conspirators billed to Medicare.

According to the indictment, Lavache allegedly prescribed medically unnecessary DME for Medicare beneficiaries in exchange for kickbacks and bribes from her co-conspirators. Lavache allegedly failed to perform proper consultations with the beneficiaries. According to the government, Lavache “had no prior relationship with the beneficiaries, was not treating them, and failed to even conduct telemedicine consultations with them.” As a result of the prescriptions, Lavache’s co-conspirators purportedly submitted approximately $8.8 million in false and fraudulent claims for medically unnecessary DME to Medicare. Medicare paid more than $4 million. Lavache allegedly received more than $123,000 in kickbacks and bribes.

The government charged Lavache with one count of conspiracy to commit health care fraud and wire fraud, as well as four counts of health care fraud. If convicted, she faces up to 60 years in prison.

The Department of Justice’s Fraud Section leads their Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, the program has charged more than 4,200 defendants.

In 2021, the Georgia legislature, in a bill signed by Governor Brian Kemp, established a type of political action committee (PAC) that can accept and spend unlimited funds in support of a candidate. This new type of PAC was called a leadership committee and would be available only to a select few candidates, among them the incumbent Governor and his eventual general election opponent “selected in a primary.”

At the time the law creating leadership committees passed, Governor Kemp was the only candidate able to take advantage of the new type of PAC. Almost a full year later, Stacey Abrams, who became the Democratic nominee for governor in the primary election on May 24, 2022, is now authorized under Georgia law to chair her own leadership committee.

Because of the “lucrative” nature of leadership committees — having no limit on contributions or expenditures and being able to directly coordinate with the candidate (unlike independent committees, known outside Georgia as super PACs) — a candidate with a leadership committee arguably would have an advantage over an opponent who, by law, does not and cannot have one. This unequal footing first led to a lawsuit by Governor Kemp’s primary election opponent, Senator David Perdue, then another by Abrams. Ultimately a federal court ruled that Governor Kemp had to wait until his opponent could also have a leadership committee before he could use his.

After the Senate elections last year leading to two Democratic Senators narrowly edging victory over their Republican opponents, as well as the narrow victory by Governor Kemp over Abrams in the last gubernatorial election, money will likely pour into this year’s gubernatorial contest and, in particular, into the candidates’ respective leadership committees.

As her party’s nominee, Abrams may now fully utilize her leadership committee (she had previously registered the committee in March), One Georgia. Her first disclosure report for the leadership committee showing how much she has raised and spent is due no later than July 8, 2022. Governor Kemp’s leadership committee, Georgians First, will also report then. That will be the first real glimpse into which candidate’s leadership committee will have the fundraising advantage leading up to the general election.

Charles Thompson, a 76-year-old former physician assistant, was convicted of one count of conspiracy to unlawfully distribute and dispense controlled substances and seven counts of unlawfully distributing and dispensing controlled substances for his role in operating two Houston-based pill mills. According to evidence presented at trial, Thompson distributed more than 1.2 million opioid pills while employed at West Parker Medical Clinic (“West Parker”) and Priority Wellness Clinic (“Priority Wellness”) between June 2015 and July 2017.

Thompson assisted doctors in unlawfully prescribing hydrocodone and carisoprodol to individuals posing as patients. Trial evidence showed that “runners” brought imposters to receive unlawful prescriptions and paid the West Parker between $220 and $500 in cash for each visit. In exchange for what has been dubbed the “Las Vegas Cocktail,” Thompson was paid over $208,000 and West Parker earned nearly $1.75 million. Similarly, Thompson assisted doctors at Priority Wellness in illegally prescribing hydrocodone and oxycodone to individuals posing as patients. Priority Wellness was paid between $300 and $600 for the illegal prescriptions, and Thompson made approximately $700 and $900 per day.

The physician Thompson assisted at West Parker, James Pierre, was also convicted of one count of conspiracy to unlawfully distribute and dispense controlled substances and seven counts of unlawfully distributing and dispensing controlled substances. Pierre is scheduled to be sentenced next month. Additionally, six co-conspirators have pleaded guilty in connection to this scheme. Thompson is scheduled to be sentenced on October 3, 2022, and he faces 20 years in prison for each count.

The government previously filed a complaint against former True Health Diagnostics LLC (“THD”) CEO, former Boston Heart Diagnostics Corporation (“BHD”) CEO, and former Little River Healthcare (“LRH”) CEO under the FCA for alleged violations of the Anti-Kickback Statue and Stark Law. The government recently amended its complaint to include six Texas physicians. The amended complaint (“Complaint”) alleges that Doyce Cartrett, Jr., Elizabeth Seymour, Emanuel Paul “E.P.” Descant, Frederick Brown, Heriberto Salinas, and Hong Davis (collectively the “Physicians”) also violated the Anti-Kickback Statue and Stark Law.

According to the Complaint, the Physicians allegedly received kickbacks from management service organizations (“MSOs”) in return for laboratory testing referrals. More specifically, it is alleged that THD and BHD conspired with several small Texas hospitals, including LRH, to pay these Physicians for laboratory referrals.  MSOs were set up by recruiters to pay kickbacks under the guise of investment returns. The Complaint further alleges that medically unnecessary testing was unlawfully billed to federal health care programs. The Physicians are alleged to have collectively received over $750,000 in kickbacks for laboratory referrals.

This matter originated under the qui tam provisions of the FCA by STF LLC. The government intervened in December 2021 and subsequently filed a complaint in January 2022. The government has already recovered more than $31 million in connection with this alleged scheme. Additionally, 29 physicians, 2 health care executives, and one laboratory company have reached FCA settlements for their alleged conduct. U.S. Attorney Brit Featherston for the Eastern District of Texas declared “[o]ur office is committed to rooting out health care fraud by pursuing all players involved the scheme, from the laboratories and their leaders to the marketers and the physicians who make it all possible.”

Cyber threats are well known and companies are often concerned about external threats to their IT systems – and considering the data on breaches, such concern is warranted. However, companies should not overlook insider threats – like the one highlighted in a recent announcement by the U.S. Department of Justice (DOJ). On May 25, 2022, the DOJ announced charges against Aaron Lockner for allegedly causing damage to a protected computer that he previously had authorization to access and service.

According to the DOJ, Mr. Lockner was employed by an IT company that provided information security and technology services for a health care company that operated several clinics. As part of his employment with the IT company, Mr. Lockner serviced the health care company. In February 2018, Mr. Lockner sought employment with the health care company he serviced, but his application was denied. A month later, the IT company terminated Mr. Lockner’s employment. The reason for Mr. Lockner’s termination was not stated in the indictment.

Around April 16, 2018, approximately one month after his termination and two months after his application denial, Mr. Lockner allegedly remotely accessed the health care company’s network without authorization. The government alleges that Mr. Lockner “knowingly caused the transmission of a program information, code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer, belonging to Company A, which caused loss…” The alleged impact included modification or potential modification of medical examination, diagnosis, and treatment of at least one patient, according to the indictment. The alleged acts resulted in the federal government charging Mr. Lockner with one count of intentionally causing damage to a protected computer. The indictment is not evidence of guilt, and the contents of the indictment are only allegations. However, if found guilty, Mr. Lockner faces up to ten years in federal prison, subject to several factors including federal limitations and the U.S. Sentencing Guidelines.

In March 2022, Chilivis Grubman attorneys discussed OCR Director Lisa Pino’s blog post titled “Improving the Cybersecurity Posture of Healthcare in 2022,” and cautioned covered entities and business associates to heed Director Pino’s warnings and take meaningful steps to reduce the likelihood of a cyber event occurring and the impact of such an event. Meaningful steps include consideration of insider threats. Companies often have IT exclusion, termination of access rights, or “lockout” policies and procedures for when an employee’s employment ends. These procedures should occur timely. Companies should also consider backing up or imaging the former employee’s data (when appropriate) to ensure no critical information is lost with implementing lockout procedures.

Mr. Lockner’s indictment, however, highlights insider third-party threats. Companies should review their contracts with third parties and ensure the contractor’s policies, at a minimum, follow the company’s policies. This is especially true when dealing with terminated employees. In Mr. Lockner’s case, he allegedly had access to the health care company’s system a month after the IT company terminated his employment.