The Cleveland Clinic Foundation (CCF) recently agreed to pay $7,600,000 to resolve allegations that it violated the False Claims Act (FCA) by submitting to the National Institutes of Health (NIH) federal grant applications and progress reports in which CCF failed to disclose that a key employee involved in administering the grants had pending and/or active financial research support from other sources.
The settlement also resolved allegations that CCF violated NIH password policies by permitting CCF employees to share passwords. Sharing passwords, logins, or IDs violates many federal regulations and WashU policy in most situations. The underlying reason is that shared logins are easier for the bad guys to mis-use to cause a cyberattack or breach. Sharing also eliminates important traceability of changes to information, potentially causing harm to the integrity of information such as medical records. In the case of Cleveland Clinic and others, financial penalties are often just the tip of the iceberg. Other important rights may be suspended or terminated due to lack of compliance.
If you are aware of the use of shared logins or passwords in your area, please review our Password Policy at (https://informationsecurity.wustl.edu/items/password-policy/), and contact infosec@wustl.edu to have the situation evaluated further. Thank you for helping keep WashU safe and compliant!