Skip to main content

Health Firm Settles Cyber Fraud Case for $11.2M

Health Firm Settles Cyber Fraud Case for $11.2M

Health Firm Settles Cyber Fraud Case for $11.2M

Introduction

A military health benefits administrator, Health Net Federal Services (HNFS), has agreed to pay $11.2 million to settle allegations that it falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (DOD). The settlement, announced by the U.S. Department of Justice (DOJ), resolves claims that between 2015 and 2018, HNFS failed to implement required cybersecurity controls and falsely attested to compliance in three annual reports submitted to the DOD.

Cybersecurity Compliance Failures

The cybersecurity requirements were part of HNFS’s contract to administer the DOD’s Defense Health Agency’s TRICARE health benefits program, which provides healthcare services for military service members and their families. The DOJ alleged that HNFS did not adhere to several mandatory cybersecurity standards, including timely scanning for vulnerabilities and addressing security flaws within its networks and systems.

Acquisition and Liability Assumption

Health Net Federal Services was previously owned by Health Net Inc., a California-based company. However, in 2016, Centene Corporation acquired Health Net Inc. and assumed HNFS’s liabilities. As a result, Centene was also included in the DOJ’s settlement agreement.

Statement from the U.S. Government

The acting U.S. attorney for the Eastern District of California stated that HNFS’s failure to uphold its cybersecurity obligations went beyond breaching its government contract—it also violated the trust of military personnel and their families. The DOJ emphasized that contractors handling sensitive government information must fulfill their cybersecurity commitments. The acting assistant attorney general of the DOJ’s civil division reaffirmed the government’s commitment to holding contractors accountable for cybersecurity violations to protect national security and Americans’ privacy.

Specific Cybersecurity Violations

According to the DOJ, HNFS ignored findings from third-party security auditors and its internal audit department, which identified critical cybersecurity risks. These risks involved asset management, access controls, configuration settings, firewalls, outdated hardware and software, patch management, vulnerability scanning, and password policies. Additionally, the DOJ accused HNFS of falsely certifying compliance with at least seven security controls from the National Institute of Standards and Technology (NIST) 800-53 framework in certifications submitted to the DOD’s Defense Health Agency in 2015, 2016, and 2017.

False Claims and Settlement Terms

As a result of these alleged misrepresentations, the DOJ argued that HNFS’s claims for reimbursement under its contract were fraudulent, regardless of whether there was any actual data breach or loss of service member health information. Despite denying the allegations, HNFS and Centene agreed to the $11.2 million settlement to avoid prolonged litigation. The agreement does not prevent the U.S. government from pursuing other claims against HNFS, such as tax violations or potential criminal liability.

Lack of Federal Response on Criminal Charges

The DOJ has not confirmed whether federal prosecutors are considering criminal charges against HNFS or Centene. Information Security Media Group (ISMG) reached out to the DOJ for further details, but the department did not provide an immediate response.

HNFS Response and Contract Termination

A spokesperson for HNFS defended the company’s track record, emphasizing that it has supported service members and their families for over 35 years. The spokesperson reiterated that no data breach or loss of service member information had occurred but expressed satisfaction in resolving the dispute.

HNFS officially ceased providing healthcare services under its TRICARE West Region contract on December 31, 2024. TriWest Healthcare Alliance has since taken over as the successor contractor for the TRICARE West Region.

Comments

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.

Latest Personal Injury News

$6.1M Settlement Reached in Youngstown Blast Lawsuit

Categories: Settlements

The family of a 27-year-old man from Penn Hills, who tragically died in an explosion in Youngstown, Ohio, has secured a settlement exceeding $6.1 million in a wrongful death lawsuit.

The explosion occurred last year when an office building…

NH Settles for $2.25M with the Murdered Kid's Mother

Categories: Settlements

The state of New Hampshire has agreed to a $2.25 million settlement with the mother of a 5-year-old girl who was murdered by her father over five years ago.

The child’s mother filed a wrongful death lawsuit in September 2024 against both…

Boeing, DOJ Settle to Avoid 737 Max Crash Prosecution

Categories: Settlements

The U.S. Department of Justice (DOJ) has reached a new agreement with Boeing that would allow the aerospace giant to avoid criminal prosecution related to two deadly crashes involving its 737 Max aircraft.

The crashes, which occurred in…

✍️ FREE—3000 Pages Medical Record Review Trial!                
No Contract. No Risk—Fully Customized, Free!

Only 10 Firms Accepted—Offer Ends June 30!