Health Net Federal Services, LLC (HNFS) and its parent company, Centene Corporation, have agreed to pay over $11 million to resolve allegations that they falsely certified compliance with cybersecurity requirements under a contract with the U.S. Department of Defense (DoD).
The settlement highlights the growing enforcement of cybersecurity regulations for government contractors handling sensitive information.
Background of the Settlement
HNFS, based in Rancho Cordova, California, and its parent company, St. Louis-based Centene Corporation, were accused of failing to meet required cybersecurity standards while administering the Defense Health Agency’s (DHA) TRICARE health benefits program. TRICARE provides medical benefits to U.S. servicemembers and their families, making cybersecurity compliance a critical aspect of the contract.
According to the U.S. Department of Justice (DOJ), HNFS falsely certified its compliance with cybersecurity controls between 2015 and 2018. These certifications were submitted in annual reports to DHA, as required under the terms of its TRICARE administration contract. The U.S. government alleged that HNFS failed to scan for known vulnerabilities and address security flaws within the required response times, as outlined in its System Security Plan.
Centene Corporation, which acquired HNFS’s corporate parent in 2016, assumed the liabilities of HNFS, making it a party to the settlement. The total amount agreed upon in the settlement is $11,253,400.
Government’s Response to Cybersecurity Lapses
Government officials emphasized the importance of cybersecurity compliance, particularly when handling sensitive government and personal data.
“Companies that hold sensitive government information, including information about the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate, head of the DOJ’s Civil Division. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”
Acting U.S. Attorney Michele Beckwith for the Eastern District of California reinforced this stance, stating, “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Kenneth DeChellis, Special Agent in Charge of the Cyber Field Office at the Defense Criminal Investigative Service (DCIS), highlighted the potential risks of cybersecurity failures, stating, “This settlement reflects the significance of protecting TRICARE and the service members and their families who depend on the health care program from risks of exploitation.”
Specific Allegations Against HNFS
The DOJ detailed several cybersecurity failures that contributed to the allegations against HNFS:
- Failure to Scan for Vulnerabilities: HNFS did not conduct timely scans to identify known cybersecurity vulnerabilities within its systems.
- Unaddressed Security Risks: Reports from third-party security auditors and HNFS’s own internal audit team identified cybersecurity weaknesses that were not remedied.
- Asset Management Issues: HNFS struggled with managing and securing its IT assets, which increased risks of unauthorized access.
- Inadequate Access Controls: Weak access control mechanisms potentially left sensitive data exposed to unauthorized users.
- Configuration and Firewall Weaknesses: The company failed to properly configure security settings and maintain firewall protections, increasing the risk of external threats.
- Use of Outdated Hardware and Software: End-of-life technology that was no longer supported by vendors remained in use, exposing systems to unpatched vulnerabilities.
- Poor Patch Management: HNFS did not install critical security updates in a timely manner, leaving systems open to known cyber threats.
- Lax Password Policies: Weak password security policies increased the likelihood of credential theft and unauthorized access.
Implications for Federal Contractors
The settlement underscores the increasing scrutiny on cybersecurity compliance for government contractors. As cyber threats grow more sophisticated, agencies like the DOJ and DoD are enforcing strict measures to ensure companies entrusted with sensitive government data adhere to cybersecurity best practices.
Failure to comply with cybersecurity requirements not only puts government contracts at risk but also exposes organizations to potential financial penalties and reputational damage. The False Claims Act, which holds contractors accountable for false certifications of compliance, remains a powerful tool for the government to enforce cybersecurity standards.
Conclusion
The $11 million settlement between Health Net Federal Services, Centene Corporation, and the U.S. government sends a clear message about the importance of cybersecurity compliance in federal contracts. Companies handling sensitive government information must prioritize security measures to protect data from cyber threats.
As regulatory oversight increases, companies must strengthen their cybersecurity frameworks, ensure compliance with contract obligations, and take proactive steps to protect sensitive information from cyber threats.
