Home > What We Do > Government Program Fraud > Cyber Security Fraud

Cyber Security Fraud

Cyber security fraud is a growing problem globally and in the United States. Federal regulations and contracts require many government contractors to establish and maintain strong cyber security measures and to assess and accurately report their vulnerability to cyber attacks.  Where contractors lie about their cyber security, they may violate the False Claims Act, a strong tool to combat cybercrime and the costs associated with inadequate cyber security.

Cyber Security Rules and Guidance

For the most part, the cyber security regulations a contractor must follow are dependent on the contracting government agency. All federal contractors, however, must abide with the Federal Acquisition Regulations (FARs). Department of Defense contractors must follow additional regulations.  For instance, they must implement Defense Acquisition Regulation (DFAR) 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and NIST SP 800-171​ (Protecting Controlled Unclassified Information [CUI] in Nonfederal Systems and Organizations). Similarly, subcontractors in the Defense Industrial Base must certify their compliance with DoD cybersecurity standards to be eligible to work on DoD projects. On October 3, 2023, the government proposed additional DFARs standardizing cybersecurity requirements for handling CUI and regulating cyber threat and incident reporting.  Final versions of the proposed rules are expected to take effect in 2024.

Companies who maintain the protected health information (PHI) of government beneficiaries are subject to additional regulations. For example, they must abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and CMS Information Systems Security & Privacy Policy.

Companies who fail to comply with these rules may be liable for claims under the federal False Claims Act.

What is the Civil Cyber-Fraud Initiative?

Cyber fraud poses a risk to businesses, national security, and taxpayers. On October 6, 2021, the Department of Justice introduced the Civil Cyber-Fraud Initiative (Initiative) to combat cyber fraud. The Initiative emphasizes civil enforcement to hold government contractors accountable for failing to meet cybersecurity standards or failing to report cybersecurity incidents and breaches.  This ensures that sensitive government information is protected taxpayer dollars are used appropriately.

The Initiative empowers whistleblowers to file lawsuits against entities or individuals endangering U.S. information by providing deficient cybersecurity products or services, misrepresenting cybersecurity practices, or violating monitoring and reporting obligations.   In addition, the Initiative offers a powerful incentive for whistleblowers.  Whistleblowers may receive up to 30% of the government’s financial recovery in successful cyber security fraud lawsuits.  Reporting cyber fraud aids the government in addressing leaked sensitive material, recovering misappropriated funds, and informing businesses of breaches.

The False Claims Act is a Strong Tool Against Cyber Security Failures

Brian M. Boynton, Assistant Attorney General U.S. Department of Justice provided some insight into how the federal False Claims Act is a strong tool in the fight against cyber crime.

Cyber Security Failures That May Violate the False Claims Act

The False Claims Act can be used to address failures to meet cybersecurity standards when providing products or services to the government. These standards are usually specified in contracts. Violating them can harm the government.

Settlements Under the Civil Cyber Fraud Initiative

The first settlement under the Initiative was announced in March 2022. In that case, Comprehensive Health Services LLC agreed to pay $930,000 to settle claims it breached security protocols.

In July 2022, Aerojet Rocketdyne, Inc. paid $9 million to settle a case alleging it falsely certified its cyber security controls in order to win contracts.

In March 2023, the government settled with Jelly Bean Communications Design LLC for $300,000.  The case involved cyber security failures related to  the protection of PHI in the Florida Medicaid system.

In September 2023, Verizon agreed to pay $4 million to settle a False Claims Act case.  Verizon received credit for self-reporting its failure to provide adequate security controls in federal contracts.

In May 2024, Insight Global paid $2.7 million to settle claims that it transmitted personally identifiable health data via unencrypted emails, accessed it using shared passwords, and stored data on unprotected files potentially accessible to the public.

The largest settlement under the initiative to date happened in July 2024.  Guidehouse, Inc. and Nan McKay & Assoc. agreed to pay $11.3 million to resolve allegations that they failed to meet cybersecurity requirements while administering New York’s Emergency Rental Assistance Program.

Penn State paid $1.25 million to settle the first case under the initiative involving academia. In October 2024, the university settled allegations of cybersecurity failures related to use of non-compliant cloud services.

In March 2025, the government settled the landmark case against Morsecorp, Inc. brought by one of our clients. The $4.6 million settlement resolved allegations that Morsecorp. made false representations concerning its compliance with required cybersecurity controls for safeguarding sensitive government information.  It was the first major False Claims Act settlement with a member of the defense industrial base based on the failure to implement the required cybersecurity controls.

In May 2025, Raytheon Company, its parent RTX Corporation, and successor Nightwing Group agreed to pay $8.4 million to resolve allegations under the False Claims Act for failing to comply with cybersecurity requirements in 29 Department of Defense contracts.

In July 2025, biotech company Illumina, paid $9.8 million to settle allegations that it sold its genomic sequencing systems to government agencies without having an adequate security program.

You can read more about the early takeaways from the Initiative in our prior blog post.

We Help Whistleblowers Report Cybersecurity Failures

If you know that a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us.  Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information.  We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.

Cybersecurity News and Analysis

DoD Publishes Final CMMC Rule

September 10, 2025

Today, the Department of Defense (DoD) published the final Cybersecurity Maturity Model Certification (CMMC) rule.  This is a major step toward strengthening cybersecurity across the defense industrial base (DIB). This...

Read More >>

Illumina Settles False Claims Act Cybersecurity Case for $9.8 Million

August 5, 2025

Illumina, a biotechnology company headquartered in California, will pay $9.8 million settlement to resolve allegations that it violated the False Claims Act. The case claims that Illumina knowingly sold genomic...

Read More >>

Key Takeaways from CS2 on Cybersecurity, NIST SP 800-171, and CMMC

May 29, 2025

The CS2 conference in Reston, Virginia was an essential event for government contractors faced with cybersecurity compliance challenges. The two-day program provided invaluable information on compliance with NIST SP 800-171,...

Read More >>