Health Net Federal Services (HNFS), a contractor responsible for administering the Department of Defense’s TRICARE health insurance program, has agreed to pay an $11 million settlement over allegations of cybersecurity violations and false claims of compliance.
The settlement, which includes $5.6 million in restitution, resolves a series of claims brought by the U.S. government accusing HNFS and its parent company, Centene Corporation, of failing to meet cybersecurity requirements critical to safeguarding sensitive data under the TRICARE program.
Alleged Cybersecurity Shortcomings
Between 2015 and 2018, HNFS, based in Rancho Cordova, California, was found to have neglected its obligations under the federal contractor cybersecurity requirements outlined for the TRICARE program. According to the U.S. government, HNFS failed to implement the necessary security controls, which were required to protect the personal and medical information of military servicemembers and their families.
The company allegedly did not scan its systems for vulnerabilities or address those vulnerabilities in a timely manner, as mandated in their security plan. Additionally, it is claimed that HNFS disregarded multiple reports from third-party auditors highlighting deficiencies in asset management, access controls, firewalls, patch management, password policies, and other key cybersecurity measures.
Despite these security lapses, HNFS submitted false annual compliance certifications between 2015 and 2018, assuring the government that they were meeting the necessary cybersecurity standards.
No Admission of Fault
While HNFS and Centene have agreed to pay the $11 million to settle the claims, they have denied any wrongdoing. The companies assert that no data was lost or compromised as a result of the alleged failures. Furthermore, the settlement explicitly states that there has been “no determination of liability” by the government, with the claims remaining as unproven allegations.
In a statement, the settlement agreement clarifies that this is not an admission of liability by HNFS or Centene, nor does it concede that the U.S. government’s claims are unfounded.
The Bigger Picture
This settlement highlights the growing emphasis on cybersecurity compliance for contractors dealing with sensitive government data, particularly in the healthcare sector. With increasing concerns about data breaches and cyberattacks targeting critical infrastructure, contractors are under increasing scrutiny to ensure that robust cybersecurity practices are in place.
The case also underscores the risks for companies that fail to meet the stringent requirements of federal contracts, especially when those failures involve critical data like health records. With TRICARE being the healthcare provider for millions of U.S. military personnel and their families, any lapse in security could have significant repercussions.
As the cybersecurity landscape continues to evolve, this case serves as a reminder to contractors that compliance is not optional—especially when the stakes involve the protection of sensitive personal and health information.
