Health Net Federal Services Inc. (HNFS) and its parent company, Centene Corporation, have agreed to a settlement of $11,253,400 with the U.S. Department of Defense (DoD). The settlement resolves allegations that HNFS falsely certified compliance with cybersecurity requirements in their contract to manage the TRICARE health benefits program for military personnel and their families.
"Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it," stated Acting Assistant Attorney General Brett A. Shumate from the Justice Department’s Civil Division. He emphasized ongoing efforts to address violations of cybersecurity requirements by federal contractors.
Acting U.S. Attorney Michele Beckwith for the Eastern District of California remarked on the importance of safeguarding sensitive government information related to service members' health and well-being. "When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government; it breached its duty to the people who sacrifice so much in defense of our nation."
The settlement addresses claims that between 2015 and 2018, HNFS did not adhere to specific cybersecurity controls and inaccurately reported compliance in annual submissions required under its TRICARE program contract. Allegations include failure to scan for vulnerabilities promptly and neglecting security flaws as outlined in their System Security Plan.
Kenneth DeChellis, Cyber Field Office Special Agent in Charge at DCIS, highlighted the significance of protecting TRICARE from exploitation risks: "DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements."
The matter was managed by the Civil Division’s Commercial Litigation Branch (Fraud Section) alongside the U.S. Attorney’s Office for the Eastern District of California, with assistance from various DoD offices.
Trial Attorneys Christopher Wilson, Laura Hill, Jonathan Thrope from the Civil Division’s Fraud Section, and Assistant U.S. Attorney Steven Tennyson represented the United States.
It is important to note that these claims are allegations only; there has been no determination of liability.