The U.S. Department of Justice said Health Net Federal Services Inc. (HNFS) and Centene Corporation will pay more than $11 million to resolve claims they violated cybersecurity requirements.
The DOJ said HNFS, based in Rancho Cordova, Calif., and its parent company Centene, based in St. Louis, will pay $11,253,400 to resolve the claim that HNFS falsely certified compliance with the cybersecurity requirements of its contract with the U.S. Department of Defense (DoD).
“Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division, said. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”
According to the DOJ, between 2015 and 2018 HNFS failed to meet certain cybersecurity controls, but falsely certified it had complied with those control in reports to the DoD’s Defense Health Agency (DHA). HNFS was contracted to administer the DHA’s TRICARE health benefits program for military servicemembers and their families.
The DOJ said HNFS failed to scan for known vulnerabilities or to remedy security flaws on its networks and systems in a timely manner, pursuant to the company’s own System Security Plan. Additionally, the DOJ said HNFS failed to heed reports from third-party security auditors and its internal audit department of cybersecurity risks. In 2016, Centene acquired all the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS, which made it responsible for HNFS’s violations.
“This settlement reflects the significance of protecting TRICARE, and the service members and their families who depend on the health care program, from risks of exploitation,” Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General, said. “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”