SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures

US military health benefits program administrator HNFS to pay $11 million in settlement over its false claims of cybersecurity compliance.

Department of Defense contractor Health Net Federal Services (HNFS) and its parent company Centene Corporation have agreed to pay $11 million in a settlement over false claims of compliance with federal contractor cybersecurity requirements.

Allegedly, HNFS, which was contracted by the Department of Defense (DoD) in 2010 to administer the TRICARE health insurance program for US military servicemembers and their families, not only failed to comply with cybersecurity requirements, but also lied about its certification.

According to the US government, between 2015 and 2018, the Rancho Cordova, California-based healthcare provider failed to implement the cybersecurity controls required for the TRICARE program, and to ensure that these controls operated as intended.

The company allegedly failed to scan for vulnerabilities in its networks and systems and to remedy them in a timely manner, as defined in its security plan, reads the settlement agreement (PDF).

HNFS, the US government says, also ignored reports from third-party auditors detailing cybersecurity defects related to asset management, access control, firewalls, patch management, password policies, vulnerability scanning, and legacy hardware and software.

Furthermore, the US government alleges that HNFS filed three false annual compliance certifications claiming that it was meeting the cybersecurity requirements defined under the government contract.

Although they agreed to pay $11,253,400 – including $5,626,700 in restitution – to resolve the US government’s claims, HNFS and Centene deny the allegations, saying that no data was lost or exfiltrated from their systems.

According to the US government, “there has been no determination of liability” and the claims against HNFS and Centene remain mere allegations.

Advertisement. Scroll to continue reading.

“This Settlement Agreement is neither an admission of liability by HNFS or Centene nor a concession by the United States that its claims are not well founded,” the settlement agreement reads.

Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach

Related: Healthcare Provider to Pay $65M Settlement Following Ransomware Attack

Related: BetterHelp Customers Begin Receiving Refund Notices From $7.8M Data Privacy Settlement, FTC Says

Related: Tech Support Firms Agree to $26M FTC Settlement Over Fake Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks
March 12, 2025

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cybersecurity firm Absolute Security announced Harold Rivas as its new CISO.

Simon Forster has been named the new General Manager of DNS security firm Quad9.

Cybersecurity training company Immersive has named Mark Schmitz as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.