Introduction
Health Net Federal Services (HNFS) [1] [2] [3] [4] [5] [6] [7], a subsidiary of Centene Corporation based in California [3] [5] [6], has reached a settlement agreement to pay $11,253,400. This settlement addresses allegations of submitting false cybersecurity compliance certifications under a US Department of Defense (DoD) contract. The contract involved administering the Defense Health Agency’s (DHA) TRICARE health benefits program for American military service members and their families [3] [5].
Description
California-based Health Net Federal Services (HNFS) [3] [5], a subsidiary of Centene Corporation [3] [5] [6], has agreed to pay $11,253,400 to settle allegations of submitting false cybersecurity compliance certifications under its US Department of Defense (DoD) contract for administering the Defense Health Agency’s (DHA) TRICARE health benefits program for American military service members and their families. This contract [2] [6] [7], which provides managed healthcare support services for TRICARE’s North region across 22 states [2], required strict adherence to cybersecurity protocols as specified in 48 C.F.R. § 252.204-7012 and the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) [6].
Between 2015 and 2018 [2] [6] [7], HNFS allegedly failed to implement essential cybersecurity measures [2] [7], neglecting to conduct timely vulnerability scans and apply fixes for known security flaws, contrary to its System Security Plan and established response times [3]. The company is accused of misleading the DHA about the adequacy of safeguards protecting sensitive data, ignoring warnings from both internal and third-party security auditors regarding risks related to asset management, access controls [2] [3] [5] [7], configuration settings [3] [5], firewall protections [7], patch management [2] [3] [5] [7], outdated hardware and software [2] [3] [7], and password policies [2] [3] [5] [7]. Furthermore, HNFS is alleged to have falsely attested compliance in its annual reports to DHA on at least three occasions: November 17, 2015; February 26, 2016; and February 24, 2017, thereby violating the False Claims Act (FCA), which penalizes the submission of false claims to the government [6].
While HNFS and Centene deny any data breaches or loss of servicemember information due to these security deficiencies, they agreed to the settlement amount [7]. The settlement agreement does not confirm or dispute this assertion and does not shield them from potential criminal liability or further legal actions if new evidence arises. This case highlights vulnerabilities within the healthcare sector [2], particularly concerning sensitive information related to military personnel and their families [2], emphasizing the necessity for organizations to actively implement and maintain robust cybersecurity measures rather than merely claiming compliance [2].
Officials have underscored the importance of safeguarding sensitive government information, particularly regarding the health and well-being of service members and their families [6]. The implications of this settlement may lead to increased scrutiny from federal agencies regarding compliance certifications [2], a focus on proactive cybersecurity measures [2], and potentially stricter penalties for organizations that do not meet cybersecurity standards [2]. It is crucial for developers and cybersecurity professionals to advocate for best practices [2], including automated vulnerability scanning [2], regular updates to security policies in line with NIST guidelines [2], and conducting security training for employees to promote a culture of security awareness [2]. The settlement serves as a cautionary tale for the tech and healthcare industries [2], underscoring the high costs of negligence in protecting sensitive data [2].
Conclusion
The settlement between HNFS and the US government underscores the critical importance of maintaining rigorous cybersecurity standards, especially when handling sensitive information related to military personnel [2]. This case may prompt increased scrutiny from federal agencies on compliance certifications and encourage organizations to adopt proactive cybersecurity measures. It serves as a reminder to the tech and healthcare industries of the significant consequences of failing to protect sensitive data, highlighting the need for continuous improvement in cybersecurity practices and awareness.
References
[1] https://www.malwarebytes.com/blog/news/2025/02/healthcare-security-lapses-keep-piling-up
[2] https://news.lavx.hu/article/cybersecurity-compliance-fiasco-health-net-federal-services-settles-for-11m
[3] https://lawblog123.com/dod-contractor-pays-112m-over-false-cyber-certifications-claims-infosecurity-magazine_1330532.html
[4] https://cyber.vumetric.com/security-news/2025/02/20/us-healthcare-org-pays-11m-settlement-over-alleged-cybersecurity-lapses/
[5] https://www.infosecurity-magazine.com/news/dod-contractor-pays-false-cyber/
[6] https://www.grip.globalrelay.com/doj-fines-healthcare-services-contractor-11m-over-false-cybersecurity-claims/
[7] https://tech-wire.in/technology/us-healthcare-org-pays-11m-settlement-over-alleged-cybersecurity-lapses/
