US healthcare org pays $11M settlement over alleged cybersecurity lapses

Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract.

The U.S. government contracted HNFS to provide managed healthcare support services for TRICARE's North region, covering 22 states.

The contract required compliance with cybersecurity standards, specifically 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).

According to a U.S. Department of Justice announcement, between 2015 and 2018, HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families.

At the same time, the DOJ claims HNFS falsely certified compliance in their reports to the DHA, making it appear as if they adequately safeguarded people's data, although they didn't.

Specifically, HNFS has failed to take the following measures:

• Scan for n-day vulnerabilities in its systems and apply fixes in a timely manner.
• Consider the findings of auditing reports highlighting cybersecurity risks and take action to remediate them.
• Implement industry-standard assets management, access controls, firewall protections, and patch management.
• Avoid using outdated hardware and software.
• Follow strong account password policies.

In the settlement agreement document, the U.S. state explains that HNFS falsely attested compliance on at least three occasions: on November 17, 2015, on February 26, 2016, and on February 24, 2017.

HNFS and Centene deny all allegations and maintain that no data breaches or loss of servicemember information occurred. However, they still agreed to pay $11,253,400 to settle the allegations.

The legal document clarifies that the settlement does not protect HNFS and Centene from criminal liability if additional evidence, administrative penalties, or civil actions emerge in the future.