San Diego-based physician Dr. Janette J. Gray and her former medical practice, The Center for Health & Wellbeing, agreed to pay $3.8 million to settle allegations that they knowingly submitted false claims to Medicare and TRICARE in violation of the False Claims Act (FCA).

Dr. Gray and The Center operated as a “holistic” clinic, claiming to be staffed by doctors, nurses, naturopaths, chiropractors, acupuncturists and other healthcare professionals. Dr. Gray and her practice offered a variety of alternative treatments, such as IV infusion therapy and hormone/supplement therapy.

The government alleged that Dr. Gray and The Center from 2012 to 2022 submitted false claims to Medicare and TRICARE for services that those programs did not cover. Specifically, the government argued that Dr. Gray and The Center (1) misrepresented the services provided and the provider of the representation, including by concealing that the services were performed by non-covered providers such as naturopaths and acupuncturists, (2) falsely billed for the services. use multiple codes instead of the correct package code, and (3) bill for medically unnecessary services. In addition to a $3.8 million payment, Dr. Gray barred from participating in all federal health care programs for five years.

Read the press release here.

Penn State University agrees to pay $1.25 million to settle FCA charges

Pennsylvania State University will pay $1.25 million to resolve allegations that it violated the FCA by failing to comply with contractual obligations to implement cybersecurity controls in 15 contracts or subcontracts involving the U.S. Department of Defense (DoD) and the National Aeronautics and Space Administration ( NASA) ).

The government argued that DoD and NASA contractually required Penn State to implement cybersecurity controls. However, between 2018 and 2023, the university failed to adequately develop mechanisms to correct deficiencies it identified. DoD contracts require contractors to submit cybersecurity assessment scores that demonstrate compliance with cybersecurity requirements when using covered systems to store or access defense information. The government argued that Penn State submitted scores that admitted it had not implemented certain controls but misrepresented the dates of when it would implement them. The government further argued that the university ultimately failed to follow through on any action plans to implement these checks. The government also alleged that Penn State did not use an outside cloud service provider that met DoD security requirements when performing certain contracts and subcontracts.

The settlement solves one qui tam lawsuit filed by Matthew Decker, former chief information officer of Penn State’s Applied Research Laboratory. The whistleblower is slated to receive a $250,000 share of the settlement amount. The case is subtitled USA ex rel. Decker v. Pennsylvania State Univ2:22-cv-03895 (ED Pa.).

Read the press release here.

California Home Health Agency and Owners Settle FCA Charges Relating to Paycheck Protection Program

Allstar Health Providers Inc., a home care agency, and its owner, Maria Chua, agreed to pay $399,990 to settle allegations that they violated the FCA by knowingly obtaining more than one Paycheck Protection Program (PPP) loan in violation of PPP rules.

PPP, an emergency loan program administered by the Small Business Administration (SBA) pursuant to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, was intended to ease the burdens on small businesses to pay employees and cover other business expenses during the Covid-19 pandemic. PPP loan applicants had to certify their eligibility and compliance with program rules, including that they would not receive more than one PPP loan before December 31, 2020.

The government alleged that Chua submitted two PPP loan applications for Allstar Health Providers in May 2020. Despite each loan application certifying that the company would not receive more than one loan before December 31, 2020, Allstar Health Providers allegedly obtained and maintains two PPP loans 2020. The government argued that Chua and Allstar Health Providers violated the FCA by maintaining the second duplicate loan, injuring the SBA when it purchased the loan guarantee on the duplicate loan.

The settlement resolves a lawsuit brought under the FCA’s whistleblower rules. The qui tam case is subtitled USA ex rel. Quesenberry v. 2 Evil Geniuses et al.No. 20-cv-8495 (CD Cal.). The whistleblower, J. Bryan Quesenberry, will receive approximately $60,000 of the settlement amount.

Read the press release here.

Virginia Contractor Settles FCA Liability for Failure to Secure Medicare Beneficiary Data

ASRC Federal Data Solutions LLC (AFDS), headquartered in Reston, Virginia, agreed to pay $306,722 to settle FCA charges stemming from its storage of unsecured personally identifiable information in connection with certain government contracts.

AFDS provided certain Medicare support services under a contract with the Centers for Medicare and Medicaid Services (CMS). The settlement resolves allegations that from March 10, 2021 through October 8, 2022, AFDS stored screenshots from CMS systems containing Medicare beneficiaries’ personally identifiable information on a subcontractor’s server without properly encrypting the files to protect them in the event of a breach . The subcontractor’s server was breached by a third party in October 2022, and the unsecured screenshots containing Medicare beneficiary information were allegedly compromised during the breach. The government argued that the improper storage of screenshots on the subcontractor’s server violated AFDS’s contractual cybersecurity requirements and that knowingly billing CMS despite those violations rendered AFDS’s claim for reimbursement false under the FCA.

In addition to the settlement payment, AFDS waived all rights to compensation to cure the breach, including at least $877,578 the company incurred for notifying beneficiaries and providing credit monitoring. The government found that AFDS promptly notified CMS of the data breach, worked with CMS to address the consequences of the breach, took other corrective actions, and cooperated with the US Department of Justice’s investigation.

Read the press release here.

Additional Author: Laura Zell