Health Net Federal Services LLC (HNFS), based in Rancho Cordova, and its parent company, Centene Corporation, are set to pay a hefty sum to the federal government over allegations of cybersecurity non-compliance. In a deal announced by Acting U.S. Attorney Michele Beckwith for the Eastern District of California, the companies will pay over $11 million to settle charges that they falsely claimed to have met critical cybersecurity requirements in a contract with the United States Department of Defense (DoD).
Under scrutiny was HNFS's role in managing the TRICARE health insurance program, and providing services to service members and their families. The Department of Justice took a firm stance on the issue, with the payment intended to resolve allegations that spanned from 2015 to 2018 where HNFS reportedly ignored significant cybersecurity controls, in defiance of the trust placed by DoD, and still certified their compliance in annual reports, according to a statement obtained by the U.S. Attorney's Office for the Eastern District of California.
"When HNFS failed to uphold its cybersecurity obligations, it didn't just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation," said Beckwith in her announcement. Acting Assistant Attorney General Brett A. Shumate of the Justice Department's Civil Division highlighted that the government will "continue to pursue federal contractors that place such data at risk by failing to meet material cybersecurity requirements in their contracts."
The settlement also underlines the Department's ongoing efforts to protect sensitive information, which, in HNFS's case, involved repeated failures over several years allegedly to timely scan for known vulnerabilities and to remedy security flaws on its networks. Even faced with third-party security audits and internal warnings of cybersecurity risks, reports claim that HNFS chose to annually certify their compliance to DoD, thus submitting what the government labeled as false claims for payment, as per information released by the Justice Department.
The case was helmed by Assistant U.S. Attorney Steven Tennyson, alongside Christopher Wilson, Laura Hill, and Jonathan Thrope from the Civil Division's Fraud Section, and was assisted by the DoD's Office of Inspector General, including the DCIS, Cyber Field Office Western Region, the Inspector General's Office of Audits, Cyberspace Operations Directorate, and DoD's Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center. It's important to note that while HNFS and Centene Corporation have agreed to the settlement, no determination of liability has been made as these are allegations.
