Department of Defense contractor Health Net Federal Services (HNFS) and its parent company Centene Corporation have agreed to pay $11 million in a settlement over false claims of compliance with federal contractor cybersecurity requirements.
Allegedly, HNFS, which was contracted by the Department of Defense (DoD) in 2010 to administer the TRICARE health insurance program for US military servicemembers and their families, not only failed to comply with cybersecurity requirements, but also lied about its certification.
According to the US government, between 2015 and 2018, the Rancho Cordova, California-based healthcare provider failed to implement the cybersecurity controls required for the TRICARE program, and to ensure that these controls operated as intended.
The company allegedly failed to scan for vulnerabilities in its networks and systems and to remedy them in a timely manner, as defined in its security plan, reads the settlement agreement (PDF).
HNFS, the US government says, also ignored reports from third-party auditors detailing cybersecurity defects related to asset management, access control, firewalls, patch management, password policies, vulnerability scanning, and legacy hardware and software.
Furthermore, the US government alleges that HNFS filed three false annual compliance certifications claiming that it was meeting the cybersecurity requirements defined under the government contract.
Although they agreed to pay $11,253,400 – including $5,626,700 in restitution – to resolve the US government’s claims, HNFS and Centene deny the allegations, saying that no data was lost or exfiltrated from their systems.
According to the US government, “there has been no determination of liability” and the claims against HNFS and Centene remain mere allegations.
“This Settlement Agreement is neither an admission of liability by HNFS or Centene nor a concession by the United States that its claims are not well founded,” the settlement agreement reads.
Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach
Related: Healthcare Provider to Pay $65M Settlement Following Ransomware Attack
Related: BetterHelp Customers Begin Receiving Refund Notices From $7.8M Data Privacy Settlement, FTC Says
Related: Tech Support Firms Agree to $26M FTC Settlement Over Fake Services
