Michele Beckwith Acting U.S. Attorney | U.S. Attorney for the Eastern District of California
Health Net Federal Services Inc. (HNFS) and its parent company, Centene Corporation, have agreed to pay over $11 million to settle allegations of false certification regarding federal contractor cybersecurity requirements. This announcement was made by Acting U.S. Attorney Michele Beckwith in Sacramento, California.
The case involves a contract between HNFS and the U.S. Department of Defense (DoD) for administering TRICARE, the Defense Health Agency's health insurance program for service members and their families. The settlement addresses claims that HNFS did not comply with certain cybersecurity controls from 2015 to 2018 and falsely certified compliance in annual reports required under its contract.
“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” stated Acting U.S. Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Acting Assistant Attorney General Brett A. Shumate commented on the matter: “As TRICARE’s managed healthcare services contractor, DoD entrusted HNFS with safeguarding the sensitive information of the nation’s servicemembers and their families.” He added that "the Justice Department will continue to pursue federal contractors that place such data at risk by failing to meet material cybersecurity requirements in their contracts."
Kenneth DeChellis, Special Agent in Charge at the Cyber Field Office of the Defense Criminal Investigative Service (DCIS), emphasized the importance of protecting TRICARE from exploitation risks: “This settlement reflects the significance of protecting TRICARE, and the service members and their families who depend on the health care program, from risks of exploitation.” He further stated that “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers.”
The allegations against HNFS include failing to timely scan for vulnerabilities and remedy security flaws according to its System Security Plan. The United States alleged HNFS ignored third-party security auditor reports concerning issues like asset management, access controls, configuration settings, firewalls, end-of-life hardware/software usage, patch management, vulnerability scanning, and password policies.
The settlement is part of ongoing efforts by authorities to hold accountable those entities or individuals putting sensitive information at risk through deficient cybersecurity practices or misrepresentations.
Assistant U.S. Attorney Steven Tennyson represented the United States in this matter alongside Christopher Wilson, Laura Hill, Jonathan Thrope from the Civil Division’s Fraud Section with assistance from DoD's Office of Inspector General.
It is important to note that these claims are allegations only; no determination of liability has been made.
