Medicare Beneficiary Data Access Authority Failure Through Unencrypted PII Storage Accepted as Compliant With Cybersecurity Requirements at ASRC Federal Data Solutions Under CMS Contract

Federal contractors handling Medicare beneficiary data operate under contractual cybersecurity requirements that define the security posture those systems must maintain as a condition of the contract. The requirements are not advisory. They are conditions of performance. When a contractor bills under the contract, it is implicitly representing that the conditions of the contract — including its security obligations — are being met. The billing credential is a representation of compliant performance. The cybersecurity posture the contract requires is part of what that representation encodes.

ASRC Federal Data Solutions held a CMS contract to provide Medicare support services. In the course of that work, AFDS and its subcontractor took screenshots from CMS systems that contained personally identifiable information — and potentially protected health information — of Medicare beneficiaries. Those screenshots were stored on the subcontractor's server without individual encryption, in violation of the cybersecurity requirements the contract imposed. In October 2022, an unauthorized third party accessed the subcontractor's server using valid credentials and compromised the unencrypted screenshots.

DOJ announced on October 15, 2024, that AFDS agreed to pay $306,722 and waive rights to $877,578 in breach remediation costs to resolve False Claims Act allegations. The allegations covered AFDS billing CMS for time spent taking, storing, and managing the unencrypted screenshots while operating in alleged violation of HHS cybersecurity requirements. AFDS notified CMS of the breach within one hour of being notified by the subcontractor and cooperated fully with the DOJ investigation, receiving cooperation credit in the settlement structure. DOJ noted that the case demonstrates that contractors who handle PII must take required steps to protect it — and that billing under a contract whose security conditions are not being met constitutes a false claim independent of whether the work was otherwise performed.

The access authorization credential in this case operates at two levels. At the first level: the third party accessed the subcontractor's server using valid credentials. The server's access control system authenticated those credentials and granted access. The credentials were valid. The data on the server should not have been accessible in the form it was stored — unencrypted screenshots of Medicare beneficiary PII. The security posture that should have made access to unprotected data impossible was absent. The credential said the system was secure enough to hold this data. It was not.

At the second level: AFDS billed CMS under a contract whose cybersecurity conditions were not being met. The billing submission is itself an access authorization instrument — it asserts that the contractor's performance meets the conditions of the contract and authorizes payment. The cybersecurity compliance condition was part of what that authorization represented. When AFDS billed for time spent storing unencrypted screenshots, the billing credential represented a compliant security posture that was not present at the point of billing.

Both failures share the same structural condition: the credential authorized access or payment on the representation that a security posture was present. The security posture was not present. Neither the system access control nor the billing system verified the underlying condition at the point of reliance. The credential moved as sufficient. The consequence — compromised beneficiary PII — materialized from the gap between what the credential represented and what was actually there.

This case is analytically distinct from the HNFS case (Case 104) in one important respect: the harm materialized. In HNFS, the cybersecurity credential was false but no breach occurred. Here, the absence of the security posture the credential represented produced a confirmed breach affecting Medicare beneficiaries. The condition is not theoretical. The unencrypted data was accessed. The people whose information was stored in that gap absorbed the consequence.

The $306,722 settlement plus $877,578 remediation waiver represents the full financial consequence — the total effective recovery to the government exceeds $1.1 million. The settlement structure reflects AFDS's cooperation: prompt disclosure, full cooperation with investigation, and remediation steps taken immediately following the breach. DOJ's Civil Cyber-Fraud Initiative treats cybersecurity compliance as material to payment even where the underlying work was otherwise performed — the false billing claim arises from the gap between the security posture the contract required and the security posture actually present at the time of billing. The breach confirmed that gap in the most direct possible way.

• ASRC Federal Data Solutions settled False Claims Act allegations for $306,722 plus waiver of $877,578 in remediation costs in October 2024, resolving claims that it billed CMS under a Medicare support services contract while storing beneficiary PII in unencrypted screenshots on a subcontractor's server in violation of contractual cybersecurity requirements
• An unauthorized third party accessed the subcontractor's server in October 2022 using valid credentials — the access control system authenticated the credentials and granted access to a server that should not have held unencrypted beneficiary data; the security posture the access credential was supposed to represent was not present
• The billing submission functions as a second access authorization credential: it asserts compliant performance of the contract's security conditions and authorizes payment on that representation; AFDS billed for time spent managing unencrypted screenshots while the cybersecurity condition the billing represented was not being met
• This case is the realized-harm counterpart to HNFS (Case 104): where HNFS documented a cybersecurity compliance credential that was false without a confirmed breach, ASRC Federal documents the same structural condition producing a confirmed breach — the unencrypted data was accessed, the beneficiaries whose PII was in those screenshots were harmed, and the gap between what the credential represented and what was present produced the outcome
• DOJ's Civil Cyber-Fraud Initiative treats cybersecurity compliance as material to payment even absent an actual breach — AFDS's prompt disclosure and cooperation received credit in settlement structure, but the false billing claim was established by the gap between required and actual security posture at the time of billing, independent of the breach that later confirmed that gap
• The effective government recovery — $306,722 in settlement plus $877,578 in waived remediation reimbursement — totals more than $1.1 million, establishing that the financial consequence of cybersecurity credential failure includes not only the settlement amount but the remediation costs the contractor cannot recover when the underlying posture it billed for was never present