Health Net Federal Services Inc. of Rancho Cordova, California and its corporate parent, St. Louis-based Centene Corporation, have agreed to pay $11,253,400 to resolve claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense to administer the Defense Health Agency’s TRICARE health benefits program for servicemembers and their families.
In 2016, Centene acquired all of the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS.
“Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”
“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” said Acting U.S. Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government. It breached its duty to the people who sacrifice so much in defense of our nation.”
“This settlement reflects the significance of protecting TRICARE, and the service members and their families who depend on the health care program, from risks of exploitation,” said Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General. “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”
The settlement resolves allegations that, between 2015 and 2018, HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA that were required under its contract to administer the TRICARE program.
The United States alleged that HNFS failed to scan for known vulnerabilities timely and to remedy security flaws on its networks and systems in accordance with its System Security Plan and the response times HNFS had established.
Furthermore, the United States alleged that HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management, access controls, configuration settings, firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies.
