February 4, 2025

Government Contracts Enforcement: DOJ Publishes FY 2024 False Claims Act Statistics

Holland & Knight Government Contracts Blog
Megan Mocho | Kelsey M. Hayes
Government Contracts Blog

The U.S. Department of Justice (DOJ or the Department) has published statistics on False Claims Act (FCA) settlements and judgments for fiscal year (FY) 2024, a year in which the Department saw the highest number of qui tam actions filed in a single year (979 lawsuits). Government-initiated enforcement dropped slightly from the prior fiscal year high, but there remains an overall upward trajectory. Though qui tam cases continue to account for approximately 70 percent of the total actions, the total number of qui tam cases increased dramatically to the current high.

GovConPicture1
New FCA Matters by Filer: FYs 2014 to 2024

The numbers confirm that FCA enforcement is generally on the rise. Total FCA actions (both government-initiated and qui tam) were up significantly, with the largest rise coming from increased enforcement count in nonmilitary or healthcare actions. These "other" agency actions accounted for 63 percent of all actions, consistent with the trend of increased activity in this area over the last three years. This increase might be attributable to Paycheck Protection Program and COVID-19 pandemic-related cases, which are filtering through the system, or a general heightened awareness of the FCA by whistleblowers. The way it is structured, it is unlikely that the Department's new criminal Corporate Whistleblower Pilot Program will negatively impact these numbers.

GovConPicture2
Total FCA Matters by Segment: FYs 2014 to 2024

The Department reported more than $2.9 billion in FCA settlements and judgments for this past year, with over $400 million going to relators. As in past years, healthcare fraud again made up the largest portion of the Department's recovery (over $1.67 billion), representing 57 percent of recoveries. As a percentage of the total, this number is down from years prior. This is due to several non-healthcare settlements, those outside of the U.S. Department of Defense (DOD), coming in to account for 39 percent, or $1.1 billion of the total recoveries. Military procurement recoveries represented a mere 3 percent of the reported recoveries, with $93 million recovered.

GovConPicture3
Total Judgments and Settlements by Segment: FYs 2014 to 2024

Cases brought by qui tam relators continue to drive recoveries, which is a consistent trend across all of the last 10 fiscal years.

GovConPicture5
Total Judgments and Settlements by Entity: FYs 2014 to 2024

Of the $2.9 billion recovered in 2024, 83 percent is attributable to qui tam suits, 91 percent of which were cases in which the government intervened. This means only a small percentage of recoveries can be attributed to relator-only cases, showing the value of qui tam settlements in non-intervened cases is dropping. Recoveries from the past three fiscal years had been 19 percent, 60 percent and 28 percent respectively.

GovConPicture5
Percentage of Qui Tam Case Recoveries by Intervention Type: FY 2024

With regard to procurement fraud, both civilian and military, the Department highlighted several settlements and judgments relating to cost and pricing issues and government cybersecurity requirements. Notably, all of the highlighted procurement fraud cases began as qui tam actions filed by former employees or individuals otherwise associated with contract performance.

Cost and Pricing: Defective Pricing, Improper Markups and Improper Cost-Type Subcontracts

In publishing its FY 2024 FCA statistics, the DOJ reported, among others, a $55.1 million judgement obtained against a multinational software company and a $70 million settlement with another major U.S. aerospace and defense contractor and its subcontractor (both wholly owned subsidiaries of the same parent company). The DOJ obtained the $55.1 million judgment against a software company in December 2024 following a four-week bench trial and a decade of FCA litigation. Such litigation is rare in the FCA space. The court found the contractor had made false claims by misrepresenting its commercial sales practices during the negotiation and performance of a U.S. General Services Administration (GSA) Multiple Award Schedule (MAS) contract. The contractor, by failing to appropriately disclose to GSA its nonstandard discounts and rebates offered to comparable customers, undermined GSA's ability to negotiate favorable pricing and induced GSA to accept and then continue to pay higher prices than it would have.

The $70 million settlement, announced in June 2024, resolved allegations that a prime contractor and its subcontractor overcharged the U.S. Navy for spare parts and materials needed to repair and maintain aircraft. According to a DOJ press release, the companies entered into an illegal "cost-plus-percentage-of-cost" (CPCC) subcontract, under which the prime agreed to purchase parts from the subcontractor at cost plus a fixed 32 percent markup. The prime contractor then submitted cost vouchers to the Navy for reimbursement of the amounts it paid to the subcontractor. By failing to disclose the costs claimed by the prime were the product of an illegal CPCC subcontract, the government alleged that the companies knowingly presented false and fraudulent cost vouchers to the Navy.

Cybersecurity Requirements

FY 2024 was a big year for the Department's Civil Cyber-Fraud Initiative, which it continues to push out to the whistleblower and contractor community as a key enforcement area.

In FY 2024, the Department joined a whistleblower suit and filed a complaint-in-intervention against a university for allegedly failing to meet cybersecurity requirements in connection with DOD contracts, DOJ's first litigation under the Cyber-Fraud Initiative. Filed by the government in August 2024, the complaint-in-intervention alleges that the university defendant failed to implement cybersecurity controls required by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under contracts with the U.S. Air Force and Defense Advanced Research Projects Agency (DARPA), including one contract related to the development of technology for threat actor attribution. The complaint also alleges that the university "intentionally, knowingly, and negligently" provided DOD a false campuswide summary level score under DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, rather than a score for the information technology systems where research involving covered information was actually conducted, with "the intention of inducing DoD to award and retain government contracts." The action is still ongoing (i.e., no settlement or judgment to report for FY 2024), but the action is nonetheless notable in that it is the Department's first litigation under its Civil Cyber-Fraud Initiative.

Of the Civil Cyber-Fraud actions resolved in FY 2024, DOJ reported two FCA actions relating to agreements entered into during the COVID-19 pandemic and the compromise or potential compromise of personally identifiable information (PII). In the first action, a staffing company agreed to pay $2.7 million to resolve allegations that it failed to implement adequate cybersecurity measures to protect PII and personal health information obtained under a COVID-19 contact tracing contract involving federal funds. Though the Department's press release does not state that the PII and other confidential information obtained under the contract were compromised or accessible to the public, the information – transmitted in the bodies of unencrypted emails, accessible by multiple staff members through shared passwords and stored via Google – was at risk of public disclosure and not adequately protected per the required cybersecurity measures.

In the second settlement, reported just a month later in June 2024, a consulting company and its subcontractor agreed to pay $11.3 million to resolve FCA allegations in connection with an alleged failure to meet cybersecurity requirements under a federally funded grant for emergency rental assistance. The federally funded agreement required the companies to perform cybersecurity testing of the rental assistance online application in a pre-production environment before the application was launched to the public. The companies allegedly failed to perform the required cybersecurity testing and, as a result and unlike the earlier settlement discussed above, the applicants' PII and other confidential information actually were compromised and accessible to the public for a period of time.

Conclusion

Contractors need to continue to be vigilant in their compliance and training, particularly around pricing and cybersecurity areas. In the wake of large or numerous settlements in an area, we tend to see increased FCA whistleblower activity in the following years. Cybersecurity and pricing will undoubtedly be leading the charge in 2025 as well.

Related Insights