Health Net Federal Services settles for $11M for cybersecurity failures

Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have consented to an $11,253,400 settlement to resolve allegations of falsely certifying compliance with cybersecurity standards under their Defense Health Agency (DHA) TRICARE contract.

What happened

HNFS, contracted to provide managed healthcare support for TRICARE's North region, covering 22 states, was required to adhere to specific cybersecurity standards, including 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53. Between 2015 and 2018, the U.S. Department of Justice alleges that HNFS failed to implement these necessary cybersecurity measures while administering health benefits for military service members and their families. Additionally, HNFS is accused of falsely certifying compliance in reports to the DHA, misrepresenting the security of personal data. 

The backstory

The DHA contract mandated strict adherence to cybersecurity protocols to protect sensitive health information. The alleged non-compliance and false certifications have raised concerns about the safeguarding of personal data within the healthcare sector, especially for military personnel and their families.

Going deeper

The settlement amount of $11,253,400 is intended to resolve the allegations without admission of wrongdoing by HNFS and Centene. The settlement does not preclude future criminal liability if additional evidence or actions arise. 

What was said

HNFS and Centene deny all allegations and maintain that no data breaches or loss of servicemember information occurred. However, they agreed to the settlement to resolve the allegations. 

In the know

The DHA contract's cybersecurity requirements are designed to protect sensitive health information. Non-compliance can lead to risks, including unauthorized access to personal health data.

Why it matters

This settlement shows cybersecurity deficiencies within HNFS. HNFS's failure to implement cybersecurity measures between 2015 and 2018, coupled with false certifications of compliance, displays the need for security practices in managing sensitive health information for military personnel and their families. The settlement is a reminder of the potential legal and financial penalties of non-compliance with federal cybersecurity standards.

FAQs

How does this settlement affect the healthcare industry?

The settlement shows the importance of adhering to cybersecurity standards, especially for companies handling sensitive health data.

What are the potential consequences for similar organizations?

Non-compliance with cybersecurity standards can lead to financial and legal consequences. 

What is the impact of this case on military personnel?

The case shows the importance of safeguarding sensitive health information, particularly for military service members and their families, under contracts like TRICARE.