This week, Guidehouse Inc. and Nan McKay and Associates (Nan McKay) agreed to pay $11.3 million to settle claims that they violated the False Claims Act when they failed to comply with cybersecurity standards in contracts aimed at providing a secure online application process for federal rental assistance to low-income New Yorkers during the COVID-19 pandemic. According to the suit, the two negligently completed the required pre-production cybersecurity testing for the application software, which allowed the data breach that compromised applicants’ personal information.

Negligence at the Center of the Breach

Congress established the emergency rental assistance program (ERAP) in 2021 to provide financial assistance to eligible low-income households for rent and other housing-related expenses during the COVID-19 pandemic. The Office of Temporary and Disability Assistance (OTDA) in New York administered the state’s ERAP and contracted with Guidehouse to provide the technology used for completing and submitting online applications.

Under the contract, Guidehouse and Nan McKay shared responsibility for ensuring the ERAP Application underwent cybersecurity testing before being launched to the public. However, Guidehouse and Nan McKay admitted that they did not complete the required pre-production cybersecurity testing. In fact, in just a matter of hours after being launched, the website was breached, and some applicants’ personal information was compromised and leaked online.

Had Guidehouse and Nan McKay completed the required cybersecurity testing, the security breach may well have been detected and the incident prevented. Guidehouse also admitted that for a period it violated the contract by using a third-party data cloud software program to store applicants’ personal information without first obtaining OTDA’s permission.

According to the Department of Justice, Guidehouse and Nan McKay committed cybersecurity fraud by putting “sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents.”

Whistleblowers in this case

The investigation that led to the settlement was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which allows individuals to file a lawsuit on behalf of the government when they have evidence of fraud affecting federal programs. As a reward, whistleblowers can receive a portion of the money recovered in the case. In this case, the settlement agreements provide for the whistleblower to receive a $1,949,250 share of the settlement amounts. Whistleblowers are also protected from retaliation by the provisions of the False Claims Act. An experienced whistleblower attorney can provide valuable guidance through the process of filing an FCA claim.

Importance of whistleblowers in cybersecurity compliance fraud

As cybercriminals become ever-more sophisticated, it’s important that companies entrusted with protecting data take their role as cybersecurity practitioners seriously. This is particularly true when working with government agencies which often require the strictest data security measures given the type of data and information with which they work. When data breaches occur, sensitive data gets leaked, which can lead to serious consequences. Thus, by helping uncover cybersecurity compliance fraud, whistleblowers help ensure that cybersecurity standards are met and can help keep everyone’s sensitive and personal data and assets safe.

Baron & Budd Whistleblower Attorneys

Baron & Budd’s whistleblower representation team has more than 40 years of experience representing dozens of clients in government fraud cases. They have returned more than $6 billion to federal and state agencies with whistleblower recovery shares as high as 50%.

For more information, see What You Need to Know About Becoming a Whistleblower.