On June 17, 2024, the Department of Justice announced that Guidehouse Inc. paid $7.6 million and its subcontractor Nan McKay and Associates paid $3.7 million — $11.3 million combined — to resolve False Claims Act allegations that they failed to meet cybersecurity requirements on a federally funded contract. If you want a single case that shows how cyber compliance becomes a fraud problem, this is it.
What the Contract Was
In early 2021, Congress created the Emergency Rental Assistance Program (ERAP) to help low-income households cover rent and utilities during the COVID-19 pandemic. In New York, the Office of Temporary and Disability Assistance (OTDA) ran the program. Guidehouse was the prime contractor responsible for the ERAP technology and services; Nan McKay was its subcontractor responsible for the application that New Yorkers used to apply online.
What Went Wrong
According to DOJ, the companies failed to ensure the program operated in a secure environment. The government alleged they did not complete required cybersecurity testing of the application before it went live — and that a data vulnerability briefly exposed applicants' personal information. The applicants here were low-income residents submitting exactly the kind of sensitive data — income, housing status, identity details — that attracts attackers.
A point worth underlining: this was a federally funded contract administered through a state agency. The False Claims Act reached the conduct because federal dollars and federal requirements were involved, even though the end users were state residents and the contracting party was a state office.
Why This Is a False Claims Act Case, Not Just a Breach
A breach alone is a security problem. This became a fraud problem because the companies allegedly certified or implied compliance with cybersecurity requirements they had not met, while drawing on federal funds. That is the recurring theme across the DOJ's Civil Cyber-Fraud Initiative: liability attaches to the false certification, not merely to the incident.
The FCA is powerful for two reasons. It carries treble damages plus per-claim penalties, and its qui tam provision lets whistleblowers — often a company's own IT or security staff — sue on the government's behalf and share in the recovery.
The Flow-Down Lesson
Note that the subcontractor paid too. Nan McKay built the application; it could not point upstream to the prime and walk away. If you are a sub handling sensitive data on a federally funded job, the cybersecurity obligations reach you, and so does the liability. Confirm in writing which party owns testing, hosting, and incident response — and then actually do it.
What to Do Now
- Map your cybersecurity obligations before go-live. Identify required testing, security controls, and acceptance criteria, and finish them *before* the system handles real data.
- Keep certifications honest. Don't represent — in proposals, progress reports, or invoices — a security posture you haven't achieved.
- Document the testing. A dated record of the security assessment you performed is your best defense if a claim ever arises.
- Pin down sub/prime responsibilities in writing. Ambiguity about who secures what is how vulnerabilities slip through.
- Treat internal complaints seriously. Many qui tam suits follow ignored warnings from inside the company.
Key Takeaways
- Cyber compliance failures on federally funded contracts can become False Claims Act liability — for primes *and* subs.
- The trigger is usually a false or implied certification of compliance, not the breach itself.
- Finish and document required security testing before sensitive systems go live.
See the broader pattern on the Enforcement page, or confirm which cybersecurity rules apply to your contract with Find My Requirements. *(Settlements are not admissions of liability.)*