U.S. healthcare corporations agree to pay $11.2M for non-compliance cybersecurity measurements

Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to resolve claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the Department of Defense.

The healthcare organizations agreed upon carrying out the Defense Health Agency’s (DHA) TRICARE health benefits program for servicemembers and their families.

According to the Department of Justice, HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA. These cybersecurity arrangements were acquired under its contract to prove the companies adequately protected people’s data. But in reality, they didn’t.

The Department of Justice claims that HNFS and its parent company failed to scan their networks and systems for known vulnerabilities and remedy these security flaws. In addition, HNFS ignored reports from third-party security auditors and its internal audit department.

Furthermore, HNFS and Centene Corporation neglected to implement industry-standard security measures related to asset management, access controls, configuration settings, firewalls, vulnerability scanning, and password policies.

Lastly, the companies used outdated hardware and software, and disregarded installing critical security updates released by vendors to counter known threats.

According to the settlement agreement, HNFS and Centene Corporation falsely claimed compliance on at least three occasions between 2015 and 2018. The healthcare corporations deny all allegations and further deny that any exfiltration or loss of data occurred as a result of their conduct.

Nevertheless, they are willing to collectively pay $11,253,400 to settle this matter. The settlement agreement however doesn’t protect HNFS and Centene from criminal liability if additional evidence, administrative penalties, or civil actions emerge in the future.

“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance. When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation,” Acting U.S. Attorney Michele Beckwith for the Eastern District of California said in a statement.