Court documents filed Tuesday in Conneticut’s Superior Court reveal new details about federal and state investigations into Prospect Medical Holdings, a for-profit 16-hospital system headquartered in Los Angeles.
The investigations — launched by the U.S. Department of Justice, Connecticut Attorney General and Connecticut Commissioner of Consumer Protection — allege Prospect defrauded the government and failed to safeguard patient and employees’ personal information ahead of the health system’s ransomware attack last year.
The filing is part of Yale New Haven Health and Prospect’s ongoing legal battle over a sale of hospitals valued at $435 million. Yale agreed to purchase the hospitals in 2022, however, the health system now wants out of the deal. Yale says Prospect violated terms of the purchase agreement by operating the facilities negligently since that time. Prospect has filed its own lawsuit asking the court to hold Yale to original terms.
Prospect first disclosed its trouble with regulators in a legal filing in July, when it admitted to receiving Civil Investigative Demands from both the DOJ and state regulators.
CIDs are a formal request by the government, often the DOJ, to gather information and documents related to an investigation prior to litigation. They’re a powerful tool to gain access to evidence without filing a lawsuit, and one the DOJ often opts to use. The department issued north of 1,500 CIDs last year — a record for the department.
However, little was previously known about the scope of the government’s investigation into Prospect due to heavy redactions in Yale New Haven’s complaint.
On Tuesday, a judge unsealed the original document. The full complaint revealed the DOJ had sent Prospect a Civil Investigative Demand in November, concerning allegations the health system had violated the False Claims Act by upcoding some secondary diagnoses on claims for inpatient care. The upcoded claims were then allegedly submitted to federal healthcare programs for reimbursement.
The FCA holds individuals and businesses — including providers — accountable for submitting fraudulent claims to government programs, such as Medicare and Medicaid. Providers represent a significant percentage of FCA violations: in 2023, over $1.8 billion of more than $2.68 billion in FCA settlements and judgments were related to healthcare.
The full complaint also offers searing indictments of Prospect’s cybersecurity protocols before it was hit by a ransomware attack in August 2023. The attack prompted multiple hospital closures at the time and compromised data of approximately 110,000 patient and employees, according to court filings.
The Connecticut Commissioner of Consumer Protection issued to Prospect a CID on Jan. 12 in connection with the ransomware attack, according to the complaint. The Commissioner’s ongoing investigation concerns Prospect’s “potential legal violations in connection with its failure to safeguard personal information,” according to the filing.
Prospect “systematically underinvested” in cybersecurity programs prior to the attack, according to the complaint, by not patching or upgrading systems, failing to perform routine penetration tests and running an outdated antivirus software relative to industry standards.
The system also did not appear to have a plan in place for continuing patient care if a data breach occurred, according to the complaint.
Prospect was also served a CID by the Connecticut Attorney General’s office in April 2023, centered around Prospect’s hospital funding practices, which may have been unfair or deceptive in violation of the Connecticut Unfair Trade Practices Act.
In its revised answer, a special defense and counterclaim also filed Tuesday, the system admitted to receiving CIDs from the DOJ, Connecticut AG and Commissioner. However, Prospect denied all allegations of wrongdoing.
A spokesperson for the Department of Justice said the department could not confirm or comment on any potential investigations.