October 16, 2024 at 07:23PM
ASRC Federal Data Solutions will pay $306,722 to settle claims of violating cybersecurity rules before a data breach affecting Medicare beneficiaries. The contractor, while not admitting liability, agreed to waive reimbursement for prior remediation costs. The breach involved a subcontractor failing to meet cybersecurity standards, allowing unauthorized access to sensitive data.
### Meeting Takeaways
1. **Settlement Agreement**: ASRC Federal Data Solutions (AFDS) will pay $306,722 to settle claims regarding violations of cybersecurity protocols prior to a data breach affecting Medicare beneficiaries’ personal information, without admitting liability.
2. **Restitution and Reimbursement Waiver**: AFDS agreed to waive any rights to reimbursement for costs incurred related to the breach, which included $877,578 for notifying affected individuals and providing credit monitoring services.
3. **Cybersecurity Compliance**: The matter highlights the necessity for government contractors managing personal data to adhere strictly to cybersecurity regulations to prevent data breaches.
4. **Incident Timeline and Shift to Electronic Records**: The breach occurred during AFDS’s transition to electronic management of certain Medicare services, enforced by the COVID-19 pandemic, between March 10, 2021, and October 8, 2022.
5. **Subcontractor Compliance Issues**: The breach was attributed to a subcontractor that failed to meet Department of Health and Human Services (HHS) cybersecurity standards, leading to compromised data through unsecured screenshot files.
6. **Details of the Breach**: The subcontractor’s server breach in October 2022 allowed unauthorized access to unencrypted screenshots containing personally identifiable information (PII), despite some files being subject to disk-level encryption for invalid access.
7. **Justice Department’s Stance**: Government officials emphasized the serious nature of personal information protection and the vigilance against contractors that do not comply with cybersecurity protocols.
8. **AFDS’s Response Post-Breach**: AFDS received credit in the settlement for promptly notifying CMS of the breach, undertaking a security review, enhancing staff training, and cooperating with Justice Department investigations following the incident.
9. **Future Implications**: The case underscores the consequences of non-compliance with cybersecurity measures and affirms HHS’s commitment to protecting sensitive healthcare data.
10. **Official Statements**: Officials reiterated the importance of safeguarding patient information and the commitment of law enforcement to address fraud and protect taxpayer-funded programs.