Health Net Federal Services, LLC (HNFS) and its parent company, Centene Corporation, have reached a settlement agreement with the U.S. Department of Defense (DoD) to pay over $11 million following allegations of falsely certifying compliance with cybersecurity requirements. This resolution highlights the enforcement of cybersecurity regulations for government contractors handling sensitive information.
The background of the settlement dates back to HNFS and Centene Corporation being accused of failing to meet the necessary cybersecurity standards while overseeing the Defense Health Agency’s TRICARE health benefits program. TRICARE serves U.S. servicemembers and their families, making cybersecurity compliance a vital component of the contract. Between 2015 and 2018, HNFS allegedly provided false certifications of compliance with cybersecurity controls in their annual reports to DHA. The U.S. government contended that HNFS failed to conduct scans for known vulnerabilities and rectify security flaws within the prescribed response times as outlined in their System Security Plan. Following Centene Corporation’s acquisition of HNFS’s parent company in 2016, it became party to the settlement, with the agreed-upon settlement amount totaling $11,253,400.
Government officials have stressed the significance of adhering to cybersecurity requirements, particularly regarding the handling of sensitive government and personal data. Acting Assistant Attorney General Brett A. Shumate from the DOJ, remarked on the necessity for companies holding sensitive government information to fulfill their contractual obligations to safeguard this data. Acting U.S. Attorney Michele Beckwith reiterated the importance of cybersecurity obligations, emphasizing the breach of duty towards servicemembers by failing to uphold such responsibilities. Kenneth DeChellis, Special Agent in Charge of the Cyber Field Office at the Defense Criminal Investigative Service (DCIS), highlighted the critical need to protect TRICARE and its beneficiaries from exploitation risks posed by cybersecurity failures.
The DOJ outlined several cybersecurity shortcomings contributing to the allegations against HNFS, including failures to scan for vulnerabilities, unaddressed security risks, asset management issues, inadequate access controls, configuration and firewall weaknesses, outdated hardware and software usage, poor patch management, and lax password policies.
The settlement serves as a stark reminder of the increased scrutiny on cybersecurity compliance for government contractors in the face of evolving cyber threats. Agencies like the DOJ and DoD are implementing stringent measures to ensure that companies entrusted with sensitive government data adhere to cybersecurity best practices. Non-compliance not only jeopardizes government contracts but also exposes organizations to potential financial penalties and reputation harm.
In conclusion, the hefty settlement underscores the critical importance of cybersecurity compliance in federal contracts. Companies must prioritize security measures, comply with contract obligations, and proactively safeguard sensitive information from cyber threats amidst growing regulatory oversight. As the enforcement of cybersecurity standards intensifies, organizations must bolster their cybersecurity frameworks to mitigate risks and fortify defenses against evolving cyber threats.