A major healthcare provider, Health Net Federal Services (HNFS), along with its parent company Centene Corporation, has agreed to a settlement of $11,253,400. This resolution addresses accusations of falsely certifying compliance with cybersecurity mandates under a Defense Health Agency (DHA) TRICARE contract.

Background of the Allegations

HNFS was contracted by the U.S. government to deliver managed healthcare support for TRICARE's North region, spanning 22 states. The contract stipulated adherence to cybersecurity standards, notably 48 C.F.R. ยง 252.204-7012 and 51 security controls from NIST Special Publication 800-53.

Details of Non-Compliance

The U.S. Department of Justice reported that between 2015 and 2018, HNFS allegedly failed to meet the required cybersecurity protocols while managing health benefits for military personnel and their families. Despite this, HNFS purportedly submitted false compliance reports to the DHA, suggesting adequate data protection measures were in place.

  • Failure to scan for n-day vulnerabilities and apply timely fixes.
  • Neglecting audit findings that highlighted cybersecurity risks.
  • Lack of industry-standard asset management, access controls, and firewall protections.
  • Use of outdated hardware and software.
  • Non-adherence to strong password policies.

Settlement and Future Implications

The settlement document reveals that HNFS falsely attested compliance on at least three occasions: November 17, 2015, February 26, 2016, and February 24, 2017. Despite denying all allegations and asserting no data breaches occurred, HNFS and Centene agreed to the settlement.

Importantly, the agreement does not shield HNFS and Centene from potential future criminal liability if new evidence or civil actions arise.

Takeaway: This case underscores the critical importance of genuine cybersecurity compliance. Learn more about zero-day vulnerabilities in our detailed Research section.

The link has been copied!