Listen to the article
In a significant development for government contractors and healthcare entities, the Department of Justice’s Civil Cyber-Fraud Initiative drove major False Claims Act settlements throughout 2025, highlighting cybersecurity compliance as a continued enforcement priority.
Defense contractors bore the brunt of enforcement actions, though a notable case involving a biotechnology company signals the initiative’s expanding reach into healthcare sectors. The settlements underscore the critical importance of adhering to federal cybersecurity standards, including NIST, DFARS, and FedRAMP requirements.
MORSE Corp, a Massachusetts-based defense contractor, agreed to pay $4.6 million to resolve allegations stemming from a qui tam complaint. The company allegedly failed to implement required NIST 800-171 cybersecurity controls, comply with DFARS requirements, and ensure subcontractors met similar standards.
In another significant case, Georgia Tech Research Corporation settled for $875,000 over allegations of cybersecurity requirement failures, including inadequate anti-virus implementation and submitting inflated assessment scores to the Department of Defense. The case raised interesting questions about the “fundamental research” exception to cybersecurity regulations—potentially relevant for academic medical centers—but settled before the court could address this issue.
Perhaps most relevant to healthcare organizations was the $9.8 million settlement with a diagnostics company that develops DNA sequencing technologies used in genetic testing. DOJ alleged the company sold sequencers with software vulnerabilities that left genetic information susceptible to unauthorized access. The settlement included $4.3 million in restitution and appeared to involve a damages multiplier exceeding the typical 2x standard, suggesting DOJ viewed these violations as particularly serious.
“These cases demonstrate that cybersecurity compliance isn’t optional for government contractors, especially those handling sensitive health data,” noted a compliance expert familiar with the settlements. “The damages multiplier in the genetic testing case sends a clear message about how seriously DOJ takes these vulnerabilities.”
The settlements also highlighted several crucial risk management strategies for companies doing business with the government. Self-disclosure and cooperation with investigations continue to yield substantial benefits in reduced penalties. In July 2025, defense contractor Aero Turbine Inc. and its private equity investor Gallant Capital Partners settled for $1.75 million after voluntarily disclosing cybersecurity failures. Their extensive cooperation resulted in an approximate 1.5x damages multiplier, well below the typical 2x standard.
The inclusion of Gallant Capital Partners in this settlement serves as a stark reminder to private equity investors about potential liability when involved in portfolio companies’ operations. DOJ alleged a Gallant employee was directly engaged in some of the misconduct, extending liability to the investment firm.
Successor liability emerged as another significant risk, as demonstrated in an $8.5 million settlement with Raytheon Company, RTX Corporation, and Nightwing entities. DOJ named Nightwing as a “successor in liability” for Raytheon’s cybersecurity failures, despite Nightwing acquiring Raytheon’s cybersecurity business three years after the relevant period. This underscores the importance of thorough due diligence during acquisitions and prompt self-disclosure if noncompliance is discovered post-acquisition.
The stakes rose further in December 2025 when a grand jury indicted a former senior manager of a government contractor for allegedly misleading federal agencies about the security of a cloud platform used by the U.S. Army. The charges included major government fraud, wire fraud, and obstruction of federal audits—demonstrating potential criminal exposure for individuals involved in cybersecurity misrepresentations.
Industry analysts expect these enforcement trends to continue and potentially accelerate in 2026, with increased focus on the healthcare sector given its wealth of sensitive data and growing reliance on connected technologies. The introduction of artificial intelligence systems in healthcare environments may create additional compliance challenges and enforcement risks.
“Healthcare organizations should be conducting regular cybersecurity assessments and ensuring their compliance programs specifically address federal cybersecurity requirements,” advised a healthcare compliance attorney. “The DOJ has made it clear that cybersecurity is an enforcement priority, and the potential financial and reputational damage from violations can be substantial.”
For healthcare companies navigating these risks, traditional best practices remain essential: implementing robust compliance programs, promptly addressing concerns, conducting thorough due diligence during transactions, and self-disclosing discovered failures. As the enforcement landscape evolves, proactive compliance measures will be critical to avoiding costly settlements and protecting sensitive healthcare information.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
19 Comments
This enforcement effort is a reminder that cybersecurity is not just an IT issue, but a critical compliance and legal risk for any organization working with the government.
Absolutely. Cybersecurity has to be embedded into the overall compliance and risk management framework for government contractors.
It will be important to monitor if these enforcement actions lead to any changes or updates to the relevant cybersecurity standards, like NIST 800-171 and FedRAMP. Continuous improvement in the requirements is key.
Interesting that the DOJ is cracking down on cybersecurity compliance among government contractors. Seems like a growing enforcement priority as federal agencies demand tighter controls. Wonder if this will drive more investments in security by these companies to avoid hefty fines.
Yes, the settlements highlight the serious consequences for failing to meet cybersecurity standards. Contractors will need to carefully review their compliance practices to avoid similar issues.
The breadth of impacted sectors, from defense to biotech, indicates the DOJ is taking a comprehensive approach to cybersecurity enforcement. No industry seems immune from these scrutiny efforts.
Yes, the wide net cast by the Civil Cyber-Fraud Initiative signals this is a top priority for the DOJ across government contractors and suppliers.
The MORSE Corp and Georgia Tech Research cases highlight the need for rigorous implementation and validation of cybersecurity controls, even for large organizations. Sloppy compliance can be very costly.
Exactly. These settlements show that mere paperwork compliance is not enough – agencies will dig into the actual security practices to ensure they meet requirements.
The expansion into healthcare sectors is notable. Cybersecurity is critical across industries that handle sensitive government data and systems. This enforcement signals a wider push for accountability on security measures.
Absolutely. Tightening cybersecurity requirements for healthcare providers handling government information is an important step to protect sensitive data.
Curious to see how these enforcement actions and settlements impact the broader cybersecurity landscape. Will it drive more investment and focus on compliance, or just create an adversarial dynamic between contractors and regulators?
Good question. Ideally it would lead to a collaborative effort to strengthen cybersecurity standards and practices, rather than just a compliance burden for companies.
This enforcement under the False Claims Act is an interesting legal tool to drive cybersecurity improvements. Leveraging fraud statutes to target security gaps is a creative approach.
This crackdown on cybersecurity failures under the False Claims Act is a significant development. It shows the government is getting serious about holding contractors accountable for lax security practices.
Yes, these settlements send a clear message that cybersecurity compliance will be rigorously enforced, with substantial financial penalties for non-compliance.
It will be interesting to see if these enforcement actions and settlements spur more whistleblower activity, with insiders incentivized to report cybersecurity lapses to the government.
Good point. The False Claims Act’s qui tam provisions could incentivize more internal whistleblowing on cybersecurity issues at government contractors.
The scale of the fines, like $4.6 million for MORSE Corp, shows the DOJ is willing to levy substantial penalties to drive the message home on cybersecurity compliance.