/>iSan Diego-based physician Dr. Janette J. Gray and her former medical practice, The Center for Health & Wellbeing, agreed to pay $3.8 million to resolve allegations that they knowingly submitted false claims to Medicare and TRICARE in violation of the False Claims Act (FCA).
Dr. Gray and The Center operated as a “holistic” clinic, claiming to be staffed by medical doctors, nurse practitioners, naturopathic doctors, chiropractors, acupuncturists, and other health professionals. Dr. Gray and her practice offered a variety of alternative treatments, such as IV infusion therapy and hormone/supplement therapy.
The government alleged that from 2012 to 2022, Dr. Gray and The Center submitted false claims to Medicare and TRICARE for services those programs did not cover. Specifically, the government alleged that Dr. Gray and The Center (1) misrepresented the services provided and the rendering provider, including by concealing that the services were rendered by non-covered providers like naturopathic doctors and acupuncturists, (2) improperly billed for services using multiple codes instead of the correct bundled code, and (3) billed for medically unnecessary services. In addition to a $3.8 million settlement payment, Dr. Gray is excluded from participating in all federal health care programs for five years.
Penn State University Agrees to Pay $1.25 Million to Resolve FCA Allegations
The Pennsylvania State University will pay $1.25 million to settle allegations that it violated the FCA by failing to comply with contractual obligations to implement cybersecurity controls in 15 contracts or subcontracts involving the US Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA).
The government alleged that the DoD and NASA contractually required Penn State to implement cybersecurity controls. However, between 2018 and 2023, the university failed to adequately develop mechanisms for correcting deficiencies it identified. DoD contracts require contractors to submit cybersecurity assessment scores demonstrating their compliance with cybersecurity requirements when using covered systems to store or access defense information. The government alleged that Penn State submitted scores acknowledging that it had not implemented certain controls but misrepresented the dates by which it would implement them. The government further alleged that the university ultimately did not pursue any plans of action to implement those controls. The government also claimed Penn State did not use an external cloud service provider that met the DoD’s security requirements when performing certain contracts and subcontracts.
The settlement resolves a qui tam lawsuit filed by Matthew Decker, the former chief information officer for Penn State’s Applied Research Laboratory. The whistleblower is slated to receive a $250,000 share of the settlement amount. The case is captioned US ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.).
California Home Health Agency and Owner Settle FCA Allegations Relating to Paycheck Protection Program Scheme
Allstar Health Providers Inc., a home health agency, and its owner, Maria Chua, agreed to pay $399,990 to settle allegations that they violated the FCA by knowingly obtaining more than one Paycheck Protection Program (PPP) loan in violation of PPP rules.
The PPP, an emergency loan program administered by the Small Business Administration (SBA) pursuant to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, was intended to ease burdens on small businesses to pay employees and cover other business expenses during the COVID-19 pandemic. PPP loan applicants were required to certify their eligibility and compliance with program rules, including that they would not receive more than one PPP loan before December 31, 2020.
The government alleged that Chua submitted two PPP loan applications for Allstar Health Providers in May 2020. Despite each loan application certifying that the company would not receive more than one loan prior to December 31, 2020, Allstar Health Providers allegedly received and retained two PPP loans in 2020. The government alleged that Chua and Allstar Health Providers violated the FCA by retaining the second duplicate loan, which harmed the SBA when it purchased the loan guaranty on the duplicate loan.
The settlement resolves a lawsuit brought under the whistleblower provisions of the FCA. The qui tam case is captioned US ex rel. Quesenberry v. 2 Evil Geniuses et al., No. 20-cv-8495 (C.D. Cal.). The whistleblower, J. Bryan Quesenberry, will receive approximately $60,000 of the settlement amount.
Virginia Contractor Settles FCA Liability for Failing to Secure Medicare Beneficiary Data
ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, agreed to pay $306,722 to resolve FCA allegations arising from its storage of unsecured personally identifiable information in connection with certain government contracts.
AFDS provided certain Medicare support services under a contract with the Centers for Medicare and Medicaid Services (CMS). The settlement resolves allegations that from March 10, 2021, through October 8, 2022, AFDS stored screenshots from CMS systems containing Medicare beneficiaries’ personally identifiable information on a subcontractor’s server without properly encrypting the files to protect them in the event of a breach. The subcontractor’s server was breached by a third party in October 2022, and the unsecured screenshots containing Medicare beneficiaries’ information were allegedly compromised during that breach. The government alleged that the improper storing of screenshots on the subcontractor’s server violated AFDS’ contractual cybersecurity requirements and that knowingly billing CMS despite those breaches rendered AFDS’s claims for reimbursement false under the FCA.
In addition to the settlement payment, AFDS waived any right to reimbursement for remediating the breach, including at least $877,578 the company incurred to notify beneficiaries and provide credit monitoring. The government recognized that AFDS promptly notified CMS of the data breach, worked with CMS to address the impact of the breach, took other remedial measures, and cooperated with the US Department of Justice’s investigation.
Additional Author: Laura Zell
