Health Net Federal Services LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability Related to Cybersecurity

SACRAMENTO, Calif. — Health Net Federal Services Inc. (HNFS) of Rancho Cordova and its corporate parent, Centene Corporation, have agreed to pay $11,253,400 to resolve claims that HNFS falsely certified compliance with federal contractor cybersecurity requirements, Acting U.S. Attorney Michele Beckwith announced. The cybersecurity requirements were contained in a contract between HNFS and the U.S. Department of Defense (DoD) to administer the Defense Health Agency’s (DHA) health insurance program TRICARE for servicemembers and their families.

“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” said Acting U.S. Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”

“As TRICARE’s managed healthcare services contractor, DoD entrusted HNFS with safeguarding the sensitive information of the nation’s servicemembers and their families,” said Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division. “The Justice Department will continue to pursue federal contractors that place such data at risk by failing to meet material cybersecurity requirements in their contracts.”

“This settlement reflects the significance of protecting TRICARE, and the service members and their families who depend on the health care program, from risks of exploitation,” said Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General. “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

The settlement resolves allegations that, between 2015 and 2018, HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA that were required under its contract. The United States alleged that HNFS failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems, in accordance with its System Security Plan and the response times HNFS had established. Furthermore, the United States alleged HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’s networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies. Nonetheless, the United States alleged, HNFS annually certified to DHA that it complied with controls that it violated and, for all of these reasons, its claims for payment were false.

The government’s pursuit of this matter is part of its ongoing efforts to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyberfraud can be found here.

The United States was represented in this matter by Assistant U.S. Attorney Steven Tennyson, along with Christopher Wilson, Laura Hill, and Jonathan Thrope of the Civil Division’s Fraud Section, with assistance from DoD’s Office of Inspector General, including the DCIS, Cyber Field Office Western Region, the Inspector General’s Office of Audits, Cyberspace Operations Directorate, and DoD’s Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center.

The claims asserted against defendants are allegations only; there has been no determination of liability.

https://justice.gov/usao-edca/media/1389341/dl?inline