On October 19, the Department of Justice announced that it had issued its Annual Report to Congress on its Activities to Combat Elder Fraud and Abuse. The Report begins with a quote from Attorney General Merrick B. Garland, which reads in part, “The COVID-19 pandemic has exposed and exacerbated injustices faced by far too many of the most vulnerable among us, including older Americans and elderly people around the world. For too long, elderly people have faced abuse, neglect, and exploitation.” The Report reveals that during the reporting period of July 1, 2020, to June 30, 2021, DOJ brought 229 criminal and civil cases involving conduct that “targeted or disproportionately affected older adults” with 10% being civil cases and 90% being criminal cases. The cases included conduct involving veteran fraud, technical support fraud, romance fraud, telemarketing fraud, lottery and sweepstakes fraud, investment fraud, and identity theft, among many other types of fraud.

The report also highlighted a few of DOJ’s new initiatives. First, the “Money Mule” initiative. “Money mules are individuals who assist fraudsters by receiving money from fraud victims and forwarding it to fraud organizers.” The report details how many forms of fraud perpetrated against the elderly utilize money mules. Numerous federal agencies including the FBI, the U.S. Postal Inspection Service, and U.S. Immigration and Customs Enforcement and many state agencies made up the participants in the initiative. During the reporting period, the government “took action against” 2,300 money mules, up from only 600 last year.

The report also highlighted the FBI Internet Crime Complaint Center (IC3) Recovery Asset Team (RAT). The FBI established RAT in February 2018 to facilitate freezing funds of victims who had been defrauded into making wire transfers. During the reporting period, IC3 RAT processed 1412 complaints, with a reported loss of nearly $390 million and successfully froze nearly $280 million, a 72% success rate. This attempt to assist victims is a major step in counteracting the incentive to commit fraud against the elderly or otherwise technically deficient individuals.

Elder fraud and abuse is a priority for both state and federal law enforcement. Along with allegations of wire or mail fraud, elder fraud and abuse can form the basis of False Claims Act enforcement actions. Those accepting government funding for the care and treatment of the elderly are especially exposed to False Claims Act liability based on elder fraud and abuse, and companies working in that space must understand that the federal government is focusing on that type of misconduct.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law in March of 2020. The CARES Act, through several programs and allowances, provides relief to businesses and individuals hurt by the COVID-19 pandemic. For example, the CARES Act expands states’ ability to provide unemployment insurance for qualified workers affected by the COVID-19 pandemic, including workers who are not ordinarily eligible for unemployment benefits.

According to the DOJ’s press release, Mr. Thompkins used the social security numbers and other protected personal information of unsuspecting Florida residents. The information was used to obtain prepaid debit cards from California loaded with funds from California’s unemployment insurance, which included CARES Act funds. Mr. Thompkins then withdrew funds from various ATMs in Miami-Dade County. And according to an Associated Press report, the overall scheme involved approximately $300,000 in California unemployment insurance funds, though only $230,000 was withdrawn. Mr. Thompkins plead guilty to one count of unauthorized access device fraud and one count of aggravated identity theft and faces up to 12 years in prison. He is scheduled to be sentenced in January 2022.

Mr. Thompkins’ guilty plea comes weeks after other NFL players pled guilty to health care fraud. In September 2021, the DOJ announced that several former NFL players pled guilty to defrauding a health care program set up by the NFL to benefit former players. You can read the Chilivis Grubman discussion regarding the former NFL players’ fraud here.

The Fraud Section of the Department of Justice (“DOJ”) has prosecuted over 100 defendants in over 70 criminal cases and has seized more than $65 million in illegal proceeds from the Paycheck Protection Program (“PPP”). The DOJ continues to pursue individuals who defraud COVID-19 relief fund programs and has devoted significant resources and established several task forces in pursuit of criminals. Since Congress enacted the COVID-19 relief programs, there have been several indictments related to COVID-19 relief fund fraud. Throughout 2021, the number of individuals sentenced for their roles in defrauding COVID-19 relief funds has steadily increased, as seen in a recent press release by the DOJ. There are no indications that such prosecutions will lessen soon.

On October 13, 2021, the DOJ announced that two individuals were sentenced to jail in the Southern District of Florida for their roles in COVID-19 relief fund fraud. Dennes Garcia, a 28-year-old man, pled guilty to conspiracy to commit wire fraud in July 2021. He admitted to defrauding the PPP by providing false information about his company, such as the number of employees, average payroll, and tax information. Mr. Garcia obtained $285,742, of which he paid more than $71,000 as a kickback to a co-conspirator for assistance in preparing and submitting the application. Mr. Garcia also wrote himself a check for $100,000 from the PPP funds. For his actions, Mr. Garcia must pay $285,742 in restitution and $285,742 in forfeiture. He was also sentenced to 18 months in federal prison.

The DOJ announced the sentencing of Cindi Denton, a 63-year-old woman, to six months in prison and 12 months of home confinement for her role in COVID-19 relief fund fraud. Ms. Denton pled guilty to conspiracy to commit wire fraud in July 2021. Similar to Mr. Garcia, Ms. Denton provided false information about her company, including the number of employees, average payroll, and false supporting tax documents. Overall, Ms. Denton obtained over $491,000 in PPP proceeds. From the proceeds, she sent herself $150,000 and paid more than $98,000 as a kickback to a co-conspirator for assistance in preparing and submitting the application. Both Ms. Denton and Mr. Garcia co-conspired with and paid kickbacks to James Stote for his assistance in preparing and submitting the fraudulent PPP loan applications.

Recipients of COVID-19 relief funds should be diligent in complying with the respective program rules and requirements. As the press release makes clear, the government will prosecute individuals who attempt to defraud COVID-19 relief programs. Chilivis Grubman attorneys have discussed government enforcement efforts related to COVID-19 relief programs that can be read here.

On October 6, the Department of Justice announced an initiative to bring False Claims Act enforcement actions against government contractors who commit fraud related to cybersecurity. Deputy Attorney General Lisa O. Monaco said in a statement that the initiative was intended to combat threats to the security of sensitive information by incentivizing companies to be proactive in their efforts to ward off criminal actors operating in the cyber realm. DOJ plans to accomplish this by holding companies to pre-existing cybersecurity standards and punishing companies that fail to disclose cybersecurity events in a timely manner, if they disclose them at all. DOJ noted that the initiative also hopes to ensure that companies that invest in effective cybersecurity measures are not at a competitive disadvantage to companies that do not meet cybersecurity standards. The initiative will be led by DOJ’s Civil Fraud Section.

Following a cybersecurity review conducted by the Department at the Direction of Deputy Attorney General Monaco in May, the decision was made to take steps necessary to improve cybersecurity programs among federal government contractors. The initiative will also target grant recipients, so academic institutions and teams conducting scientific research are likely to see increased scrutiny and liability following cybersecurity events. Given the prevalence of cyber-attacks against major companies and the fact that most major companies have significant contracts with the federal government, some of the settlements stemming from this initiative are likely to be in the hundreds of millions of dollars, further enticing qui tam relators. When combining the prevalence of cyber attacks against entities doing business with the federal government and the potential for qui tam relators, we are likely to see an explosion of False Claims Act suits related to cybersecurity in the coming years.

QUOTE OF THE MONTH

On October 5, the SEC announced that it had charged CanaFarma Hemp Products Corp., a Canadian startup, and its co-founders with violating the antifraud provisions of the securities laws. The SEC alleges that the company fraudulently raised $15 million from various investors. CanaFarma allegedly told investors that the company processed hemp from its own farm in a fully integrated process. While CanaFarma had a hemp farm, the SEC alleges that none of the hemp processed by the company actually came from the farm and was instead purchased from third parties. The SEC further alleges that the company misstated its past revenue and made future revenue projections without any basis to do so.

SEC also alleges that the co-founders of the company misappropriated $4 million of those funds for personal use or uses unrelated to the company. Along with securities fraud, that conduct potentially exposes the co-founders to charges of criminal wire fraud, embezzlement, and money laundering. In that vein, the co-founders are also the subject of a criminal investigation by the United States Attorney’s Office for the Southern District of New York, which has also announced charges against the pair. If found civilly liable for the charges brought by the SEC, the company and its co-founder face permanent injunctions, disgorgement and prejudgment interest, and civil penalties, as well as officer-and-director liability and penny stock bars against the co-founders.

In September, Chilivis Grubman attorneys wrote about a False Claims Act (“FCA”) settlement for $900K involving a Georgia-based defense contractor. The settlement reminded all individuals and businesses doing business with the government that the FCA applies to all industries, not just healthcare. Often the FCA is discussed in the context of a claim being submitted to the government for payment because the FCA prohibits any person from knowingly presenting, or causing to be presented, a false or fraudulent claim for payment to the federal government. However, the FCA also prohibits the possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivering, or causing to be delivered, less than all of that money or property. 31 U.S.C. § 3729 (a)(1)(D). The FCA further prohibits any person from knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim.

In a recent press release, the U.S. Department of Justice (“DOJ”) announced a settlement that demonstrates these often-overlooked FCA applications – those involving non-healthcare businesses and related to money owed to the government. According to the press release, Devon Energy Corporation and its affiliates, Devon Energy Corp., and Devon Energy Production Company LP (collectively, “Devon”) agreed to pay $6.15 million to resolve allegations it violated the FCA while acting as a lessee and removing natural gas from federal lands.

The U.S. government leases federal lands to companies for the extraction and production of natural gas. In exchange for the lease, companies must pay the U.S. government royalties on the value of the gas produced. These companies must convert the gas extracted and produced into a marketable condition at no cost to the United States. The government’s royalties should not be affected by the cost to process and make the gas marketable.

According to the government, Devon improperly deducted costs of gas transportation and processing when calculating royalties owed to the United States. The government considers these expenses to be the cost of placing the gas in marketable condition. Since Devon allegedly deducted this cost in its royalty calculations, the government alleges that Devon “thereby knowingly underreported and underpaid royalties to the Department of the Interior (DOI).”

This settlement provides another example of the DOJ’s willingness and ability to use the FCA as a tool to sue any company in any industry that does business with the federal government. Any entity doing business with the federal government – in any industry – must follow contractual obligations to avoid running afoul of fraud, waste, and abuse laws like the FCA.

Children’s Hospital & Medical Center (CHMC) is the latest healthcare organization to have possibly violated the HIPAA right of access requirements resulting in a settlement, according to an announcement by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). OCR’s announcement marks the twentieth settlement related to violations of HIPAA access rights achieved since the start of its Right of Access Initiative.

The HIPAA right of access standard can be found at 45 CFR §164.524, and generally provides that a HIPAA covered entity must provide individuals, upon request, with access to protected health information (PHI) about the individual maintained by the covered entity in one or more designated record sets. An individual’s personal representative (which would be any person with authority under state law to make health care decisions for the individual, like the parent of a minor), also has the right to access an individual’s PHI, upon request, consistent with the scope of such representation (see 45 CFR §164.502(g)). The access requirements generally do not apply to (1) information not considered “designated record sets,” as defined by 45 C.F.R. § 164.501, (2) psychotherapy notes, and (3) records created in reasonable anticipation of or for a civil, criminal, or administrative action. 45 C.F.R. § 164.524.

CG attorneys have noted in previous blog posts that OCR’s enforcement efforts and related monetary settlements have been broad and wide-reaching, affecting covered entities of all sizes and related various areas of the law. The nineteenth settlement arose from a patient complaint filed in August 2019, alleging that a West Virginia provider failed to provide a copy of a minor child’s records to the child’s parent. And OCR’s most recent announcement related to it its settlement with CHMC involves a similar allegation.

OCR’s settlement with CHMC stems from a complaint filed in May 2020 by a parent who alleged that CHMC did not provide her with timely access to her deceased minor daughter’s complete medical record. The parent, who was her minor daughter’s personal representative, submitted a written request to CHMC for access to her late daughter’s records in January 2020. CHMC provided the parent with a portion of the requested records but the remainder of records needed to be collected from another division of CHMC, according to the resolution agreement. The parent contacted CHMC several times regarding the request and the remaining records. According to OCR, the remaining records were provided to the parent because of its investigation and were received by the parent in June 2016 and July 2020, six and seven months after the initial request. OCR’s investigation concluded that CHMC may have violated HIPAA right of access requirements by failing to provide access to PHI in a timely manner. As part of the settlement agreement, CHMC agreed to pay HHS $80,000 and agreed to comply with a Corrective Action Plan (CAP) that will end one year from the effective date.

Covered entities should note these key takeaways from CHMC’s settlement.

Covered entities should ensure familiarity and compliance with HIPAA requirements, including the right to access protected health information by a patient or a personal representative (45 CFR §164.502(g)). These rights under HIPAA to access protected health information are at 45 C.F.R. § 165.524 and there is HHS guidance on the topic. As noted by Acting OCR Director Robinsue Frohboese, “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”