Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract. According to a U.S. Department of Justice announcement, between 2015 and 2018, HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. In the settlement agreement document, the U.S. state explains that HNFS falsely attested compliance on at least three occasions: on November 17, 2015, on February 26, 2016, and on February 24, 2017. The contract required compliance with cybersecurity standards, specifically 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations). The legal document clarifies that the settlement does not protect HNFS and Centene from criminal liability if additional evidence, administrative penalties, or civil actions emerge in the future. At the same time, the DOJ claims HNFS falsely certified compliance in their reports to the DHA, making it appear as if they adequately safeguarded people's data, although they didn't. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. HNFS and Centene deny all allegations and maintain that no data breaches or loss of servicemember information occurred.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 20 Feb 2025 18:50:29 +0000