TRICARE Administrator Pays $11.23M Penalty to Resolve Cybersecurity-related FCA Claims
The U.S. Department of Justice has announced that Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay a $11,253,400 penalty to settle allegations that HNFS falsely certified compliance with the cybersecurity requirements of its Defense Health Agency (DHA) contract to manage the TRICARE healthcare program.
The military health benefits administrator was investigated by the Civil Division’s Commercial Litigation Branch (Fraud Section) and the U.S. Attorney’s Office for the Eastern District of California. The investigation revealed HNFS had not implemented certain cybersecurity controls that were required under its DHA contract between 2015 and 2018 yet certified in multiple annual reports that those controls were in place. The terms of the contract required HNFS to comply with 48 C.F.R. § 252.204-7012 cybersecurity standards and 51 security controls from NIST Special Publication 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations.
HNFS failed to scan for known vulnerabilities and remediate vulnerabilities in a timely manner in accordance with its Systems Security Plan and the response times it had established. HNFS is also alleged to have ignored reports from third-party security auditors and its internal audit department. Security issues identified included risks on its networks and systems in the areas of asset management, access controls, configuration settings, firewalls, end-of-life hardware and software, patch management, vulnerability scans, and password policies.
The annual reports submitted by HNFS indicated full compliance with all cybersecurity requirements. Reports certifying compliance were submitted by HNFS on at least 3 occasions in November 2015, February 2016, and February 2017. The failure to address security issues potentially put the sensitive information of service members and their families at risk.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Both HNFS and its parent company maintain that no vulnerabilities were exploited, no data breaches were experienced, and there was no loss of servicemembers’ data. All allegations were denied; however, a settlement and financial penalty were agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation. The settlement is not an admission of wrongdoing or liability and does not protect HNFS and Centene from further claims, administrative penalties, or civil actions in the future.
