Health Firm Settles Cyber Fraud Case for $11.2M

Health Firm Settles Cyber Fraud Case for $11.2M

Introduction

A military health benefits administrator, Health Net Federal Services (HNFS), has agreed to pay $11.2 million to settle allegations that it falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (DOD). The settlement, announced by the U.S. Department of Justice (DOJ), resolves claims that between 2015 and 2018, HNFS failed to implement required cybersecurity controls and falsely attested to compliance in three annual reports submitted to the DOD.

Cybersecurity Compliance Failures

The cybersecurity requirements were part of HNFS’s contract to administer the DOD’s Defense Health Agency’s TRICARE health benefits program, which provides healthcare services for military service members and their families. The DOJ alleged that HNFS did not adhere to several mandatory cybersecurity standards, including timely scanning for vulnerabilities and addressing security flaws within its networks and systems.

Acquisition and Liability Assumption

Health Net Federal Services was previously owned by Health Net Inc., a California-based company. However, in 2016, Centene Corporation acquired Health Net Inc. and assumed HNFS’s liabilities. As a result, Centene was also included in the DOJ’s settlement agreement.

Statement from the U.S. Government

The acting U.S. attorney for the Eastern District of California stated that HNFS’s failure to uphold its cybersecurity obligations went beyond breaching its government contract—it also violated the trust of military personnel and their families. The DOJ emphasized that contractors handling sensitive government information must fulfill their cybersecurity commitments. The acting assistant attorney general of the DOJ’s civil division reaffirmed the government’s commitment to holding contractors accountable for cybersecurity violations to protect national security and Americans’ privacy.

Specific Cybersecurity Violations

According to the DOJ, HNFS ignored findings from third-party security auditors and its internal audit department, which identified critical cybersecurity risks. These risks involved asset management, access controls, configuration settings, firewalls, outdated hardware and software, patch management, vulnerability scanning, and password policies. Additionally, the DOJ accused HNFS of falsely certifying compliance with at least seven security controls from the National Institute of Standards and Technology (NIST) 800-53 framework in certifications submitted to the DOD’s Defense Health Agency in 2015, 2016, and 2017.

False Claims and Settlement Terms

As a result of these alleged misrepresentations, the DOJ argued that HNFS’s claims for reimbursement under its contract were fraudulent, regardless of whether there was any actual data breach or loss of service member health information. Despite denying the allegations, HNFS and Centene agreed to the $11.2 million settlement to avoid prolonged litigation. The agreement does not prevent the U.S. government from pursuing other claims against HNFS, such as tax violations or potential criminal liability.

Lack of Federal Response on Criminal Charges

The DOJ has not confirmed whether federal prosecutors are considering criminal charges against HNFS or Centene. Information Security Media Group (ISMG) reached out to the DOJ for further details, but the department did not provide an immediate response.

HNFS Response and Contract Termination

A spokesperson for HNFS defended the company’s track record, emphasizing that it has supported service members and their families for over 35 years. The spokesperson reiterated that no data breach or loss of service member information had occurred but expressed satisfaction in resolving the dispute.

HNFS officially ceased providing healthcare services under its TRICARE West Region contract on December 31, 2024. TriWest Healthcare Alliance has since taken over as the successor contractor for the TRICARE West Region.