Skip to content

This post is a courtesy of Fox Rothschild attorney Nathanael F. Williams, Esq., and was first published as an Alert on Fox’s website. 

Health care providers should take special notice of the risk of cyber threats at all times, including over holiday weekends.

Labor Day weekend is upon us. Unfortunately, history has shown that, rather than resting, hackers and other threat actors take advantage of holidays to attack closed or understaffed businesses when they least expect it.

To remind businesses not to let their guard down over the holiday weekend, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a Joint Cybersecurity Advisory, “Ransomware Awareness for Holidays and Weekends.” The advisory urges businesses “to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.” The FBI and CISA have no specific intelligence indicating a particular attack will occur, but these agencies have taken the opportunity, as is Fox Rothschild through this client alert, to remind businesses to stay vigilant over the holiday weekend and take proactive steps to prevent future cyberattacks.

CISA and the FBI note that in 2021 ransomware attacks on or before Mother’s Day weekend, Memorial Day weekend and the Fourth of July weekend had a significant impact on a number of critical industries. In order to mitigate the risk of these ransomware attacks, CISA and the FBI urge businesses to conduct proactive “threat hunting,” a proactive strategy that involves searching out intrusions or malware on systems or the network before a full-scale attack is launched. CISA and the FBI describe threat hunting to include “understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.”

These attacks are a serious threat to businesses of all sizes and industries. Based on statistics from the FBI’s Internet Crime Complaint Center (IC3), there has been a 20% increase in the number of ransomware incidents since 2020, and a 225% increase in the amount of the ransom demand since 2020. Furthermore, although many sophisticated ransomware groups conduct “big game” attacks on large businesses, small and medium size businesses with fewer resources to dedicate to cybersecurity also face significant risks. Adding to the danger, cyber threat actors are increasingly utilizing a “lock and leak” approach, in which not only is a business’ data encrypted, the data is also exfiltrated from the business to use as leverage. Cyber threat actors threaten to publish the business’ sensitive information if the ransom is not paid.

The Joint Cybersecurity Advisory provides best practices and recommended mitigations to assist businesses in taking appropriate next steps to protect their IT environments. The FBI and CISA recommend setting up an “on call” system for IT security employees over weekends and holidays so a business can quickly react to a ransomware attack. Furthermore, the FBI and CISA recommend implementing the following network security best practices:

  1. Make offline backups of your data, and implement a regular backup schedule.
  2. Implement a user training program and conduct phishing awareness exercises to help employees recognize the various threats the organization can face and how to respond and thwart them.
  3. If your business uses Remote Desktop Protocol (RDP), or other risky services, secure and monitor it.
  4. Update your operating systems and software, and scan for vulnerabilities.
  5. Ensure strong passwords by having a strict password policy.
  6. Use multifactor authentication.
  7. Secure the network(s); implement segmentation, filter traffic and scan ports.

If your business learns of a potential or actual data security event, Fox Rothschild is here to help. Our Data Breach Prevention & Response Team is available 24/7 to help your business through a cyber attack, and can be reached via our data breach hotline at 800-680-0595 or by email at

If you have any questions about how to take proactive steps to prevent future cyber attacks or concerns about a prior incident, you can contact Nate Williams or any other member of the Data Breach Prevention & Response Team.

This post is a courtesy of Fox Rothschild attorney William H. Maruca, Esq., and was first published as an Alert on Fox’s website.

A bipartisan bill introduced this summer would impact residential and behavioral health facilities and other health care providers sued under the federal False Claims Act (FCA), making defense of these actions more expensive and difficult.

The False Claims Amendments Act of 2021 was designed in part to undo the result of the U.S. Supreme Court’s 2016 ruling in Universal Health Services, Inc. v. United States ex rel. Escobar, which allowed providers to argue that an alleged misrepresentation or violation was not “material” if the government agency continued to pay claims in some circumstances.

The bill would also force providers to pay for certain discovery costs incurred by the government and would limit the ability of the Justice Department to dismiss FCA cases without a hearing.

Residential and behavioral health providers, like all providers, will face greater obstacles in defending FCA actions if this bill is enacted. Even without these changes, FCA suits are extremely expensive to defend and expose providers to penalties that frequently reach the millions.

The False Claims Act

The FCA is a Civil War-era statute that provides that any person who knowingly submits false claims to the government is liable for up to three times the government’s damages plus a penalty for each false claim, currently between $11,803 and $23,607. The FCA allows private citizens (“relators”) to file whistleblower suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government and receive a portion of the government’s recovery.

False claims can include fictitious or misrepresented services as well as claims based on false records and claims submitted while a provider is in violation of one or more technical requirements of payment including the Anti-Kickback Statute and the Stark Self-Referral Statute.


The Escobar case has been interpreted to allow defendants to argue that the government’s continued payment of claims can be cited as evidence that a violation was not “material” and would not be sufficient to support a false claims allegation. The bill would shift the burden of proof to the defendant to prove by “clear and convincing evidence” that that the violation was not, in fact, material to the government’s payment of the claims.

Discovery Expenses

The bill also would require defendants to reimburse the government for costs associated with irrelevant, disproportional or unduly burdensome discovery. This rule is designed to discourage broad “fishing expeditions” by defendants seeking to ferret out evidence that a government agency knew about the alleged violations and did not consider them material. The defendants would need to pay the government’s costs unless they can show the information requested is “relevant, proportionate to the needs of the case, and not unduly burdensome on the government.” The burden of proof of the relevance and proportionality of discovery is on the defendant.

Dismissal of FCA Claims

The federal government can either intervene in a whistleblower’s FCA case or decline to do so, in which case the whistleblowers can generally still proceed at their own expense. The Justice Department has the authority to dismiss meritless or frivolous cases. The bill would require the Justice Department to demonstrate its reasons for dismissal and offer the whistleblower a hearing in which they would have the opportunity to show that the reasons for the government’s dismissal are fraudulent, arbitrary and capricious, or contrary to law.

Action Plan

The best defense is to detect and remedy any compliance issues before they result in whistleblower litigation or government enforcement. A robust and well-implemented compliance program is your most effective preventive medicine. See The Importance of Updating Compliance Programs for Skilled Nursing, Assisted Living and Other Residential Care Facilities.

Your compliance plan should address the seven essential elements identified by the Office of Inspector General in its compliance guidance documents:

  • written policies, procedures and standards of conduct
  • designation of a compliance officer and compliance committee
  • effective training and education
  • effective lines of communication
  • internal monitoring and auditing
  • enforcing standards through well-publicized disciplinary guidelines
  • prompt responses to detected offenses

Contact your Fox Rothschild attorney to review your current compliance efforts and determine if updates or modifications are needed.

Approximately ten days after the first federal court decision in the country about mandatory-COVID-19 vaccinations by an employer, Bridges v. Houston Methodist Hospital (the “Hospital”), 153 of the Hospital’s employees were fired or resigned. On June 12th the court dismissed an action brought by a very small cadre of employees of the Hospital to enjoin the implementation of the its policy of requiring employees to be vaccinated against COVID-19 as a condition of continued employment, The five-page decision by U. S. District Court Judge Lynn Hughes the court upheld the Hospital’s mandatory vaccination policy that carved out narrow exceptions to employee-inoculation by any of the three vaccinations authorized on an emergency use basis by the United States Food and Drug Administration (“FDA”) based upon medical conditions or sincerely held religious beliefs.
The action was instituted by a nurse, Jennifer Bridges, joined by one-hundred and sixteen (116) other employees of Houston Methodist Hospital (the “Hospital”) representing less than 0.5% of the employees to prevent the Hospital from enforcing its mandatory vaccination policy. It is important to note that, when the action was filed, 24,947 of the 26,000 Hospital employees were already vaccinated.
The plaintiffs advanced several arguments to support their request to forestall enforcement of the requirement that Hospital employees be vaccinated by June 7, 2021 or face termination. Their arguments principally relied on the assertion that the COVID-19 vaccinations are experimental and dangerous. The court granted the Hospital’s motion to dismiss all the plaintiffs’ claims.
Specifically, the Plaintiffs argued that termination for failure to comply was equivalent to wrongful termination in violation of Texas law. The court held that Texas law only protects employees from being terminated for refusing to commit an act carrying criminal penalties. The plaintiffs failed to specify the illegal act that they refused to perform.
The Plaintiffs also alleged that the vaccination requirement violated public policy. The court held that Texas law does not recognize a public policy exception to at-will employment on that basis and, even if it did, the Hospital’s requirement was consistent with public policy, including policy embodied in holdings from the Supreme Court and guidance from the Equal Employment Opportunity Commission.
In addition to their wrongful termination claims, the Plaintiffs also alleged that the vaccine requirement violated their option under federal law, 21 U.S.C. Sec. 360bbb-3, to accept or refuse administration of the vaccine. In dismissing the claim, the court explained that the plaintiffs misconstrue 21 U.S.C. Sec. 360bbb-3, which relates to a requirement of the Secretary of Health & Human Services to insure that recipients of medical products introduced into interstate commerce intended for use in an emergency be informed of potential benefits and risks of its use, and given the option to accept or refuse administration of the product. The provision does not apply to private employers and does not related to the authority under “emergency use authorization.”
The Plaintiffs also alleged that they were akin to “human subjects” participating in research, and therefore needed to consent to the vaccination in accordance with the regulations governing human subject research in part 46 of the Code of Federal Regulations. The Court again noted that the plaintiffs misconstrued the applicable provision and held that the protections under the Human Subject Research Law are inapplicable to the Hospital; the Law applies to the government, not a private employer. Further, the court dismissed the allegation that equates the Hospital’s policy with the atrocities of medical experimentation in the concentration camps as “reprehensible.”
The Plaintiffs are appealing the decision. In the interim, several major hospitals throughout the country have promulgated similar policies. It is expected that there will be a ripple effect of these policies, particularly considering this decision. For hospitals and other types of employers contemplating a COVID-19 vaccination mandate, here are some helpful tips:
• Make sure that the policy clearly articulates legitimate essential health and safety concerns that serve as the basis for protecting your staff, customers, and other third parties by generally requiring proof of COVID-19 vaccination;
• Include provisions that enable employees to request a reasonable accommodation for a disability or medical contraindication, or for a sincerely held religious belief or practice, that would preclude vaccination and not create an undue burden for the employer;
• Document all communications with employees in the context of the policy, and;
• Provide a reasonable timeline for phasing-in vaccinations.
Please also be aware of this Firm’s Alert entitled EEOC Issues Guidance on COVID-19 Vaccinations in the Workplace:
EEOC Issues Guidance on COVID-19 Vaccinations in the Workplace | Employment Discrimination Report (

A nationwide telemedicine kickback scheme led to fraudulent Medicare reimbursements for durable medical equipment and genetic testing. The full Department of Justice press release can be found here.

Fraudulent Telemedicine Orders

From June 2018 through September 2020, a Georgia Nurse, known as “Nurse Robin,” and her co-conspirators recruited physicians and other medical professionals to sign orders for orthotic braces, pain creams, and genetic testing. Nurse Robin told the physicians that her team of nurses would contact patients to conduct telemedicine exams on behalf of the physicians.

In fact, there was no team of nurses. According to court documents, the conspirators had targeted elderly Medicare beneficiaries through a series of call centers to obtain their identities and insurance information. They falsified the beneficiaries’ medical histories and examinations in the orders that the physicians signed. Nurse Robin and her co-conspirators then paid the physicians for signing the orders.

The result was thousands of fraudulent orders billed to Medicare and Medicaid, resulting in over $1.5 billion in losses to the federal programs from the thirty-three defendants in the Southern District of Georgia, alone. As the investigation is still ongoing, the true amount of loss is likely greater.

The Aftermath

Nurse Robin pled guilty to the conspiracy and faces a possible statutory sentence of up to five years in prison without parole, financial penalties, restitution and up to three years of supervised release.

Both the U.S. Department of Health and Human Services (HHS) and the Department of Justice made their stance on telemedicine fraud clear. Derrick L. Jackson, Special Agent in Charge for the Office of Inspector General of the HHS, stated, “Telemedicine has become a valuable tool for delivering health services in this time of pandemic. However, bad actors are abusing these tools to commit health care fraud. When marketing and so-called telehealth services are misused, alleged violators can expect aggressive investigation and swift prosecution.” Acting U.S. Attorney Estes said, “Telemedicine has played an increasingly important role in providing accessible healthcare, particularly during the pandemic. With our law enforcement partners, we will continue to work diligently to identify and shut down those who would attempt to use technology and deceit to defraud taxpayer funded safety net programs.”

As the prevalence of telemedicine continues, providers should ensure compliance of their business arrangements to prepare for increased scrutiny. Should you have any questions regarding the compliance of your business arrangements, please contact Anahita Anvari, Edward J. Cyran or any member of the Fox Rothschild Health Law Group.



A recent health care fraud conspiracy case resulted in federal prison sentences for six participants, serving as a warning to pharmacy owners and their employees. Read the full Department of Justice Press Release, here.

The Case

Mohamed Abdalla is a licensed pharmacist who owned several pharmacies throughout Northern Virginia, including Medex Health Pharmacy and

Royal Care Pharmacy. From at least January 2014 to December 2018, Abdalla conspired to defraud federal, state, and private health care benefit programs in violation of the federal Anti-Kickback Statute. The U.S. Attorney’s Office brought charges against Abdalla and his co-conspirators for the following schemes:

  • The payment or receipt of unlawful kickbacks for expensive drugs and devices; and
  • Billing Medicare and TRICARE, the Department of Defense’s health care program, for expensive drugs and devices for themselves, family members, and other pharmacy employees that were not medically necessary and/or not prescribed by a physician, and billing for prescriptions for pharmacy customers that were not filled or not received by the beneficiary.

Specifically, Abdalla and his co-conspirators capitalized on the opioid crisis by paying or obtaining kickbacks for the referral of prescriptions for compound medications and for a naloxone auto-injector used to treat opioid emergencies. In total, the schemes resulted in roughly $2 million and over $6 million dollars of loss to Medicare and TRICARE, respectively.

According to Raj Parekh, the acting U.S. Attorney for the Eastern District of Virginia, “The defendants betrayed their duties as health care professionals, performed illegal kickbacks, and defrauded essential benefit programs out of millions of dollars. EDVA is committed to prosecuting those who exploit taxpayers and engage in the unacceptable fleecing of these important public institutions and programs.”

The Sentences

Abdalla and his five co-conspirators received the following sentences:

  • Mohamed Abdalla was sentenced to four years in prison as the main owner and operator of the pharmacies involved in the schemes.


  • Onkur Lal worked for Abdalla as a pharmacist and used his knowledge to circumvent audits and investigations by third parties that were investigating fraud on behalf of health benefit programs. He was sentenced to three years in prison for his role in the conspiracies.


  • Mohammed Tariq Amin worked as a pharmacy technician and general manager of the Royal Care Pharmacy during the schemes. Amin conspired with Abdalla to pay kickbacks for the naloxone auto-injector device prescriptions. He was sentenced to two years in prison.


  • Daniel Tyler Walker worked as a pharmaceutical sales specialist for the company responsible for marketing the naloxone auto-injector device. From August 2015 to April 2017, Walker accepted a 25% kickback of the net sales of the prescriptions from Abdalla and Amin. Walker was sentenced to 15 months in prison.


  • Seth Michael Myers accepted kickbacks for the referral of compound medications from Abdalla and a licensed physician. Myers and the physician created a company that was paid over $2.5 million during the scheme, which spanned from 2013 to 2016. Myers was sentenced to two years in prison.


  • Michael Beatty worked as a licensed pharmacist. For about a year, he conspired with Myers to pay kickbacks for the referral of expensive compound medications. He was sentenced to one year and one day in prison.


The Takeaway

As stated by Christopher Dillard, Special Agent in Charge of the Defense Criminal Investigative Service (DCIS) Mid-Atlantic Field Office, “These sentencings should send a clear warning that DCIS and its investigative partners will vigorously pursue fraudsters intent on lining their pockets with tax dollars earmarked for the care of our Warfighters.”

This case also shows a continued focus by the Department of Justice to pursue instances of fraud and abuse related to the national opioid crisis. As such, pharmacies, pharmaceutical sales companies, and medical device companies involved in the filling of prescription drugs or devices related to opioids should expect scrutiny in their affairs and take extra precautions to ensure their business arrangements do not violate federal or state laws.

Should you have any questions regarding whether certain arrangements involving your business are compliant with fraud and abuse laws, please contact Anahita Anvari, Edward J. Cyran or any member of the Fox Rothschild Health Law Group.


More and more physicians are opting to leave private practice (or to skip it altogether) for the perceived job security and hopefully steady paycheck of hospital employment.  According to a study conducted by the American Medical Association (AMA) , the number of physicians practicing in private practice is now less than 50%.  According to the AMA, this is the first time the private practice percentage has dropped this low since 2012 when the AMA began formally conducting the study.

To be sure, managing a private medical practice, like any closely-held private business, has its share of challenges.  However, as the recent shake up at one Pennsylvania health system demonstrates, being someone else’s employee can be a risky proposition when you have no control over the decisions that can make or break your practice.

Many physicians thinking about hospital employment as opposed to private practice should consider that they are likely to receive only a short term employment agreement – often 3 or fewer years in length with the possibility of earlier termination.  Typically there is no guarantee of contract renewal and if times are tough, many physicians can see their proposed renewal-term compensation reduced or put at further risk based on often unachievable performance metrics.

Moreover, employed physicians could wake up one day to learn that their employer is in financial trouble and they are being “restructured” out of their job.  When asked, many physicians who have elected to remain in private practice will say they are willing to put in the work required to manage and grow their practices in exchange for the knowledge that they retain control over their own professional destiny.

While hospital employment might be right for some physicians, all physicians considering employment should carefully weigh the long term risks and rewards of building a private practice over which they maintain control versus those of employed practice where they may find their professional life dangling by a relatively short-term contract over which they have little control.

If you need legal assistance with your private practice or if you are looking to establish or re-establish your private practice, please contact Todd Rodriguez at 610-458-4978 or by email at

This post is a courtesy of Fox Rothschild attorney, Marcus C. Hewitt, Esq., and was first published as an Alert on Fox’s website.  It is most relevant for health care providers that are based in North Carolina.  If you would like more information as to how this issue might affect your facility, please contact Mr. Hewitt at

North Carolina legislators filed another bill to amend the state’s Certificate of Need Act on April 1, 2021.

As filed, Senate Bill 462 would modify several longstanding cost thresholds that trigger CON review:

  • tripling the cost threshold for diagnostic centers from $500,000 to $1.5 million, to be adjusted annually based on changes in the consumer price index
  • raising the cost threshold for major medical equipment from $750,000 to $2 million; to be adjusted annually based on changes in the consumer price index
  • doubling the $2 million general cost threshold for a new institutional health service under N.C. Gen. Stat. § 131E-176(16)b to $4 million, to be adjusted annually based on changes in the consumer price index

The bill also inserts a provision that any CON will expire if construction does not commence within the following time frames:

  • Four years for projects with a capital expenditures over $50 million
  • Two years for projects with a capital expenditures of $50 million or less

Raising the cost thresholds would allow smaller, less expensive projects to proceed without CON review, while still requiring examination of larger, more expensive proposals.

Under current law, a CON does not expire, but the North Carolina Department of Health and Human Services has the authority to revoke a CON if the holder is not making good faith efforts to develop the project. However, delays in the development of CON-approved projects are common and such a revocation is rare.

Legislators have also filed bills to fully repeal the CON Law. Bills filed in the North Carolina Senate and House (S309 and H410) remain pending and are currently in committee.

On March 5, 2021, the Pennsylvania Department of Health (the “Department”) proposed permanent regulations relating to medical marijuana, replacing the current temporary regulations at 28 Pa. Code Part IX. The proposed regulations can be accessed here, and the notice regarding the same can be accessed here.

The Proposed Regulations are in substantially the same form as the temporary regulations that have been in effect since April of 2017.  [See our prior post on the Temporary Regulations and how they are applicable to physicians here].  However, there are a couple of notable proposed revisions for practitioners to be aware of:

  • The Department intends to add ”anxiety disorders” and ”Tourette’s Syndrome” to the definition of ”serious medical condition”, as well as “any other condition recommended by the Medical Marijuana Advisory Board and approved by the Secretary.” These additions would widen the scope of conditions that can be treated with medical marijuana and pave the way for future conditions to be added through a Board recommendation process.
  • “Continuing care” would be updated for consistency with the statutory definition by adding ”including an in-person consultation with the patient.” This change would eliminate any question of whether a practitioner can certify the use of medical marijuana for a patient without consulting with them in−person.
  • Practitioners would now be prohibited from charging patients “excessive fees.” The Department is proposing the change “due to patient complaints of practitioners taking advantage of the certification process by charging excessive lab testing, follow-up, or other fees not initially disclosed.” Practitioners should reconsider their fees in light of this proposed regulation.

As a reminder, failure to comply with any provision of the Act applicable to practitioners can result in sanctions by the Pennsylvania State Board of Medicine or Osteopathic Medicine and removal from the practitioner registry.

The Proposed Regulations also address, among various topics, the following:

  • Requirements for permits and applications for the same (and fees associated therewith).
  • Requirements for the operation of a medical marijuana
  • Visitor access to a medical marijuana facility and protocol pertaining to the same.
  • Requirements for growing and processing medical marijuana.
  • Acceptable forms of medical marijuana that a grower/processor may process.
  • Limits on medical marijuana processing (e.g., THC and CBD).
  • Inventory data, storage requirements, and equipment, operation and maintenance (including sanitation and safety).
  • Packaging and labeling of medical marijuana products.
  • Transportation of medical marijuana.
  • Dispensaries and the general dispensing of medical marijuana products.
  • Licensed medical professionals at a facility –
    • Of particular interest, the Proposed Regulations provide that a physician or pharmacist must be present at the facility during operating hours and, if a permittee operates more than one facility under the same permit, a physician assistant or certified nurse practitioner may cover the other sites.
  • Medical marijuana laboratories, including suspension, approval and/or revocation.
  • Medical marijuana cardholder responsibilities and revocation or suspension of an identification card.

Should you have any questions regarding the proposed permanent regulations or anything else discussed herein, please contact us.

In response to the COVID−19 pandemic, clinical laboratories have increased their diagnostic testing capabilities and expanded their business by testing COVID−19 specimens from different states and entering into arrangements to conduct COVID−19 screening for employers. Despite waivers designed to make COVID-19 testing available and accessible on a widespread basis, labs must be careful in expanding their business to ensure that they maintain compliance with federal and state laws.  Similarly, companies looking to partner with labs for specimen collection should familiarize themselves with applicable federal and state laws.

For an overview of the state and federal regulatory landscape in this context,  please read our client alert. For guidance on your company’s situation, please contact us.

Fox Rothschild LLP partner, William Maruca, was recently interviewed for an article in Cosmos regarding the regulatory risks to hospitals and DME suppliers who enter into arrangements to ensure that COVID-19 patients receive free home oxygen equipment.  Some hospitals have decided to take on the inherent risks in such an arrangement to address a lack of home oxygen equipment in the pandemic, so that COVID-19 patients can be discharged earlier and beds can be turned over for new patients.

Please see the full article here: Cosmos Compliance: Some Hospitals Give COVID-19 Patients Free Oxygen to Speed Up Discharge

Should you have any questions regarding these or similar arrangements from the perspective of the hospital or the DME supplier, please do not hesitate to contact William Maruca.


This website uses cookies to improve your experience. By continuing to browse our website you consent to our use of cookies as set forth in our Cookie Policy. Learn More

I Agree