Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have consented to an $11,253,400 settlement to resolve allegations of falsely certifying compliance with cybersecurity standards under their Defense Health Agency (DHA) TRICARE contract.
HNFS, contracted to provide managed healthcare support for TRICARE's North region, covering 22 states, was required to adhere to specific cybersecurity standards, including 48 C.F.R. ยง 252.204-7012 and 51 security controls from NIST Special Publication 800-53. Between 2015 and 2018, the U.S. Department of Justice alleges that HNFS failed to implement these necessary cybersecurity measures while administering health benefits for military service members and their families. Additionally, HNFS is accused of falsely certifying compliance in reports to the DHA, misrepresenting the security of personal data.
The DHA contract mandated strict adherence to cybersecurity protocols to protect sensitive health information. The alleged non-compliance and false certifications have raised concerns about the safeguarding of personal data within the healthcare sector, especially for military personnel and their families.
The settlement amount of $11,253,400 is intended to resolve the allegations without admission of wrongdoing by HNFS and Centene. The settlement does not preclude future criminal liability if additional evidence or actions arise.
HNFS and Centene deny all allegations and maintain that no data breaches or loss of servicemember information occurred. However, they agreed to the settlement to resolve the allegations.
The DHA contract's cybersecurity requirements are designed to protect sensitive health information. Non-compliance can lead to risks, including unauthorized access to personal health data.
This settlement shows cybersecurity deficiencies within HNFS. HNFS's failure to implement cybersecurity measures between 2015 and 2018, coupled with false certifications of compliance, displays the need for security practices in managing sensitive health information for military personnel and their families. The settlement is a reminder of the potential legal and financial penalties of non-compliance with federal cybersecurity standards.
The settlement shows the importance of adhering to cybersecurity standards, especially for companies handling sensitive health data.
Non-compliance with cybersecurity standards can lead to financial and legal consequences.
The case shows the importance of safeguarding sensitive health information, particularly for military service members and their families, under contracts like TRICARE.