Keller Grover

Protecting Employees and Consumers

615.864.9771

  • Our Team
  • Practice Areas
    • Whistleblower Actions
    • Employment Violations
    • Antitrust Litigation
    • Consumer Protection
  • FAQs
    • Whistleblower FAQs
    • Employment Law FAQs
    • Antitrust FAQs
    • Consumer Protection FAQs
  • News
  • Contact Us

Cybersecurity Misrepresentation and the False Claims Act: When Contractors Lie About Their Security Compliance

Jun 01 2026

Free and Confidential
Case Review 24/7

615.864.9771

Se Habla Español

Keller Grover / Cybersecurity / Cybersecurity Misrepresentation and the False Claims Act: When Contractors Lie About Their Security Compliance

According to February 2025 Department of Justice announcement, Health Net Federal Services, Inc. and its corporate parent Centene Corporation agreed to pay $11,253,400 to resolve False Claims Act allegations involving cybersecurity fraud. The settlement resolved claims that Health Net falsely certified compliance with cybersecurity requirements in its contract with the Department of Defense to administer the Defense Health Agency’s TRICARE health benefits program for servicemembers and their families. 

The government alleged that between 2015 and 2018, Health Net failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems, in accordance with its own System Security Plan.

No data breach was required to establish liability. The false certification itself was enough.

What Does the False Claims Act Have to Do With Cybersecurity?

Most people associate the False Claims Act with healthcare billing fraud or defense contractor overbilling. But the law applies to any knowing misrepresentation made in connection with a claim for government payment. When a contractor certifies cybersecurity compliance as a condition of receiving federal funds, and that certification is false, every payment the government makes on that contract is potentially a false claim.

The DOJ’s Civil Cyber-Fraud Initiative, launched in 2021, specifically focuses on entities that knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches.

The theory of liability is not limited to deliberate fraud. The FCA’s “knowingly” standard includes deliberate ignorance of the truth or reckless disregard of the truth or falsity of information, not just actual knowledge. Contractors who submit compliance affirmations without verifying their accuracy, or who fail to promptly correct inaccurate compliance claims when new information comes to light, can face FCA exposure.

The Contracts That Require Cybersecurity Compliance

Federal contracts that involve controlled unclassified information (CUI) require contractors to implement the security controls set out in NIST Special Publication 800-171, a framework covering access controls, incident response, vulnerability management, and over 100 other requirements. Contractors must assess their own compliance and submit scores to the Supplier Performance Risk System (SPRS). Those self-assessments become representations to the government.

When contractors inflate their SPRS scores, skip required controls, or certify a System Security Plan they have not actually implemented, they have made a false statement in connection with a federal contract. The DOJ specifically cited Raytheon’s lack of a System Security Plan as a critical compliance gap in the May 2025 settlement that resolved allegations across approximately 30 Department of Defense contracts.

Raytheon, RTX Corporation, and Nightwing Group agreed to pay $8.4 million to resolve those allegations. The whistleblower, a former Director of Engineering at Raytheon, received a share of the recovery.

No Breach Required

One of the most significant features of the DOJ’s cybersecurity enforcement theory is that an actual data breach is not necessary to trigger FCA liability. What matters is whether the contractor’s certifications were accurate at the time they were made.

In the Illumina matter, the DOJ secured a $9.8 million settlement for misrepresentations about cybersecurity compliance in medical device software. These cases confirm the trend of the DOJ using the FCA to enforce cybersecurity obligations even absent a data breach.

The same principle applied in the Health Net case. Both HNFS and Centene maintained that no vulnerabilities were exploited and no data breaches occurred, yet they agreed to pay over $11 million to resolve the allegations.

Common Whistleblowers Regarding Cybersecurity Fraud

The people with the most direct knowledge of a contractor’s actual cybersecurity posture are typically the people who work on it, such as: 

  • IT security staff who know a required control was never implemented
  • Engineers who raised concerns about vulnerability scanning and were told to proceed anyway
  • Compliance personnel who signed off on self-assessments they knew were inflated or inaccurate
  • Employees who discovered that sensitive government data was being processed on systems that did not meet federal standards

In the Georgia Tech case, the whistleblowers were the university’s associate director of cybersecurity and a former information security graduate student. They alleged that when they brought compliance problems to administrators, the administrators failed to take action. When their internal reports went nowhere, they filed a False Claims Act complaint.

That pattern, an employee raising concerns, being ignored, and then filing a qui tam lawsuit, is how many cybersecurity FCA cases begin. Several major fiscal year 2025 cybersecurity settlements originated from qui tam complaints filed by former employees with inside knowledge of cybersecurity practices. Whistleblowers in successful qui tam actions may be eligible to receive a percentage of the government’s recovery.

The Enforcement Trend Is Accelerating

Cybersecurity enforcement gained significant momentum in fiscal year 2025, with the DOJ recovering more than $52 million across nine cybersecurity-related FCA settlements, a substantial increase from prior years. The rollout of the Cybersecurity Maturity Model Certification program, which adds third-party verification requirements for defense contractors, is expected to generate more compliance data, more discrepancies between certifications and actual practices, and more potential whistleblower complaints.

If you work for a government contractor and have knowledge of cybersecurity misrepresentations made to obtain or retain federal contracts or funds, you may have the basis for a False Claims Act qui tam lawsuit. These cases are technically and legally complex, and working with an experienced whistleblower attorney before taking any steps protects both the strength of your claim and your rights.

Contact Keller Grover today to speak with a whistleblower attorney about what you have observed. Our team handles False Claims Act cases and can walk you through your options before you take any other steps.

 

  • Facebook
  • LinkedIn
  • YouTube

KELLERGROVER, LLP · 1965 Market St. San Francisco, CA 94103 · 615-864-9771 · info@kellergrover.com
© 2025 KELLERGROVER, LLP. All rights reserved · Disclaimer & Privacy Policy