Guidehouse Inc. and Nan McKay and Associates have agreed to pay $11.3 million to resolve allegations related to cybersecurity failures. The lawsuit, stemming from violations of the False Claims Act, concerns the companies’ handling of the Emergency Rental Assistance Program (ERAP) designed to support low-income households during the COVID-19 pandemic. Guidehouse will pay $7.6 million, while Nan McKay will contribute $3.7 million.
The breach occurred in June 2021 when the ERAP website, which was managed by Guidehouse and Nan McKay, was compromised just 12 hours after launch. The companies admitted to failing to perform necessary pre-production cybersecurity testing, which led to the exposure of applicants’ personally identifiable information (PII). Guidehouse also violated contract terms by using unauthorized third-party data cloud software.
The investigation into the breach was prompted by a whistleblower lawsuit under the False Claims Act, filed by Elevation 33 LLC, a former Guidehouse employee. The whistleblower will receive a $1.9 million share of the settlement, highlighting the role of whistleblowers in uncovering and addressing cybersecurity lapses.
This settlement underscores the government’s commitment to enforcing cybersecurity standards for federal contractors. Principal Deputy Assistant Attorney General Brian M. Boynton and U.S. Attorney Carla B. Freedman emphasized the importance of adhering to cybersecurity obligations to protect sensitive personal information and maintain the integrity of government programs.
Reference:
