Health Net Federal Services and Centene to Pay $11.2 Million Over Cybersecurity Violations

Health Net Federal Services (HNFS), a U.S.-based healthcare provider, along with its parent company Centene Corporation, has agreed to pay $11,253,400 to resolve allegations that they failed to implement adequate cybersecurity measures under their TRICARE contract with the Defense Health Agency (DHA). The U.S. Department of Justice announced that HNFS, during its provision of healthcare services to U.S. military personnel and their families between 2015 and 2018, did not comply with required cybersecurity protocols. The company is also accused of making false claims regarding its adherence to security standards.

Security Vulnerabilities Identified
Under the terms of the contract, HNFS was required to comply with cybersecurity controls outlined in 48 C.F.R. § 252.204-7012 and the National Institute of Standards and Technology (NIST) Special Publication 800-53. However, HNFS reportedly neglected several critical security measures, including:

• Failure to scan systems for security vulnerabilities and promptly address issues
• Ignoring risks outlined in audit reports and failing to take corrective actions
• Not implementing asset management, access control, firewall protections, and patch management
• Using outdated hardware and software
• Not enforcing strong password policies

The U.S. Department of Justice also revealed that HNFS submitted false compliance certifications on at least three occasions: November 17, 2015, February 26, 2016, and February 24, 2017.

Company Denies Allegations
While HNFS and Centene deny any data breaches or information leaks, they have agreed to pay the $11.25 million fine as part of a settlement. However, the agreement does not exempt the companies from potential future criminal or administrative penalties if new evidence arises.