US healthcare org pays $11M settlement over alleged cybersecurity lapses
Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract.
The U.S. government contracted HNFS to provide managed healthcare support services for TRICARE's North region, covering 22 states.
The contract required compliance with cybersecurity standards, specifically 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).
According to a U.S. Department of Justice announcement, between 2015 and 2018, HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families.
At the same time, the DOJ claims HNFS falsely certified compliance in their reports to the DHA, making it appear as if they adequately safeguarded people's data, although they didn't.
Specifically, HNFS has failed to take the following measures:
- Scan for n-day vulnerabilities in its systems and apply fixes in a timely manner.
- Consider the findings of auditing reports highlighting cybersecurity risks and take action to remediate them.
- Implement industry-standard assets management, access controls, firewall protections, and patch management.
- Avoid using outdated hardware and software.
- Follow strong account password policies.
In the settlement agreement document, the U.S. state explains that HNFS falsely attested compliance on at least three occasions: on November 17, 2015, on February 26, 2016, and on February 24, 2017.
HNFS and Centene deny all allegations and maintain that no data breaches or loss of servicemember information occurred. However, they still agreed to pay $11,253,400 to settle the allegations.
The legal document clarifies that the settlement does not protect HNFS and Centene from criminal liability if additional evidence, administrative penalties, or civil actions emerge in the future.
Black Basta ransomware gang's internal chat logs leak online
Chinese hackers use custom malware to spy on US telecom networks
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-1241 Use of Predictable Algorithm in Random Number Generator
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-218 DEPRECATED: Failure to provide confidentiality for stored data
CWE-1057 Data Access Operations Outside of Expected Data Manager Component
LowCWE-1037 Processor Optimization Removal or Modification of Security-critical Code
Free online web security scanner