Federal contractors pay multimillion-dollar settlements over cybersecurity lapses
Two federal contractors have paid a total of $11.3 million in civil penalties to the U.S. government after admitting they failed to properly test the cybersecurity of a system for providing financial assistance to low-income people in New York during the COVID-19 pandemic.
The Department of Justice said Monday that the agreement with Guidehouse Inc. and Nan McKay and Associates resolves allegations that they violated the False Claims Act, a law more than a century old that is intended to protect the government from contractors who misrepresent the quality of their services.
Virginia-based Guidehouse paid $7.6 million and California based Nan McKay, which was hired as a subcontractor on the project, paid $3.7 million, the DOJ said.
Beginning in May 2021, they set up an emergency rental assistance program (ERAP) for the state Office of Temporary and Disability Assistance (OTDA). It went live on June 1 of that year.
“Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet,” the DOJ said. “Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.”
As part of the settlement, Guidehouse also admitted that “for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.”
In its statement, the DOJ mentioned the Biden administration’s Cyber-Fraud Initiative, which has been filing cases under the False Claims Act since late 2021. The program “aims to hold accountable entities or individuals that put sensitive information at risk.”
As of the end of May, the government had previously closed five cases as part of the initiative, with the companies ranging from a rocket manufacturer to a web hosting firm to the telecom giant Verizon.
The New York case originated with a whistleblower who used to work for Guidehouse, the DOJ said. An entity owned by that person will receive nearly $1.95 million from the settlement amounts.
Recorded Future
Intelligence Cloud.