Health Net Federal Services Inc. (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations of non-compliance with federal cybersecurity requirements. The announcement was made by Acting U.S. Attorney Michele Beckwith in Sacramento, California.
The case involves a contract between HNFS and the U.S. Department of Defense (DoD) for administering TRICARE, a health insurance program for service members and their families. According to Beckwith, "Safeguarding sensitive government information...is of paramount importance." She added that HNFS's failure to meet cybersecurity obligations constituted a breach of both contract and duty.
Acting Assistant Attorney General Brett A. Shumate emphasized the Justice Department's commitment to pursuing contractors who fail to protect sensitive data: “The Justice Department will continue to pursue federal contractors that place such data at risk by failing to meet material cybersecurity requirements in their contracts.”
Kenneth DeChellis from the Defense Criminal Investigative Service highlighted the settlement's importance in protecting TRICARE beneficiaries from exploitation risks: “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements.”
The allegations cover the period from 2015 to 2018 when HNFS reportedly failed to adhere to required cybersecurity controls while falsely certifying compliance in annual reports. The United States claimed HNFS did not adequately scan for vulnerabilities or address security flaws as per its System Security Plan.
Assistant U.S. Attorney Steven Tennyson represented the United States in this matter alongside other officials from the Civil Division’s Fraud Section and various DoD offices.
It is important to note that these claims are allegations only, with no determination of liability made against HNFS or Centene Corporation.