Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11.25 million to settle allegations of falsely certifying compliance with cybersecurity requirements under their Defense Health Agency (DHA) TRICARE contract.
The U.S. Department of Justice (DOJ) announced that between 2015 and 2018, HNFS failed to implement necessary cybersecurity measures while managing healthcare services for military personnel and their families.
The contract required HNFS to adhere to strict cybersecurity standards, including 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53. However, the DOJ claims HNFS misrepresented its compliance in official reports, despite failing to:
- Scan for and remediate known vulnerabilities promptly.
- Address security risks identified in audit reports.
- Implement industry-standard security practices, including firewall protections and access controls.
- Replace outdated hardware and software.
- Enforce strong password policies.
The DOJ states that HNFS falsely certified compliance on at least three occasions between 2015 and 2017. While HNFS and Centene deny the allegations and assert that no data breaches occurred, they have agreed to the settlement. Notably, this agreement does not exempt them from potential future criminal liability, administrative penalties, or civil actions if further evidence emerges.
