Full Report
Health Net Federal Services, LLC (HNFS) and its parent company, Centene Corporation, have agreed to pay over $11 million to resolve allegations that they falsely certified compliance with cybersecurity requirements under a contract with the U.S. Department of Defense (DoD). The settlement highlights the growing enforcement of cybersecurity regulations for government contractors handling sensitive information. Background of the Settlement HNFS, based in Rancho Cordova, California, and its parent company, St. Louis-based Centene Corporation, were accused of failing to meet required cybersecurity standards while administering the Defense Health Agency’s (DHA) TRICARE health benefits program. TRICARE provides medical benefits to U.S. servicemembers and their families, making cybersecurity compliance a critical aspect of the contract. According to the U.S. Department of Justice (DOJ), HNFS falsely certified its compliance with cybersecurity controls between 2015 and 2018. These certifications were submitted in annual reports to DHA, as required under the terms of its TRICARE administration contract. The U.S. government alleged that HNFS failed to scan for known vulnerabilities and address security flaws within the required response times, as outlined in its System Security Plan. Centene Corporation, which acquired HNFS’s corporate parent in 2016, assumed the liabilities of HNFS, making it a party to the settlement. The total amount agreed upon in the settlement is $11,253,400. Government’s Response to Cybersecurity Lapses Government officials emphasized the importance of cybersecurity compliance, particularly when handling sensitive government and personal data. “Companies that hold sensitive government information, including information about the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate, head of the DOJ’s Civil Division. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.” Acting U.S. Attorney Michele Beckwith for the Eastern District of California reinforced this stance, stating, “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.” Kenneth DeChellis, Special Agent in Charge of the Cyber Field Office at the Defense Criminal Investigative Service (DCIS), highlighted the potential risks of cybersecurity failures, stating, “This settlement reflects the significance of protecting TRICARE and the service members and their families who depend on the health care program from risks of exploitation.” Specific Allegations Against HNFS The DOJ detailed several cybersecurity failures that contributed to the allegations against HNFS: Failure to Scan for Vulnerabilities: HNFS did not conduct timely scans to identify known cybersecurity vulnerabilities within its systems. Unaddressed Security Risks: Reports from third-party security auditors and HNFS’s own internal audit team identified cybersecurity weaknesses that were not remedied. Asset Management Issues: HNFS struggled with managing and securing its IT assets, which increased risks of unauthorized access. Inadequate Access Controls: Weak access control mechanisms potentially left sensitive data exposed to unauthorized users. Configuration and Firewall Weaknesses: The company failed to properly configure security settings and maintain firewall protections, increasing the risk of external threats. Use of Outdated Hardware and Software: End-of-life technology that was no longer supported by vendors remained in use, exposing systems to unpatched vulnerabilities. Poor Patch Management: HNFS did not install critical security updates in a timely manner, leaving systems open to known cyber threats. Lax Password Policies: Weak password security policies increased the likelihood of credential theft and unauthorized access. Implications for Federal Contractors The settlement underscores the increasing scrutiny on cybersecurity compliance for government contractors. As cyber threats grow more sophisticated, agencies like the DOJ and DoD are enforcing strict measures to ensure companies entrusted with sensitive government data adhere to cybersecurity best practices. Failure to comply with cybersecurity requirements not only puts government contracts at risk but also exposes organizations to potential financial penalties and reputational damage. The False Claims Act, which holds contractors accountable for false certifications of compliance, remains a powerful tool for the government to enforce cybersecurity standards. Conclusion The $11 million settlement between Health Net Federal Services, Centene Corporation, and the U.S. government sends a clear message about the importance of cybersecurity compliance in federal contracts. Companies handling sensitive government information must prioritize security measures to protect data from cyber threats. As regulatory oversight increases, companies must strengthen their cybersecurity frameworks, ensure compliance with contract obligations, and take proactive steps to protect sensitive information from cyber threats.
Analysis Summary
# Regulation/Compliance: Cybersecurity Compliance in Federal Contracting (Enforcement Action based on Weak Practices)
## Overview
This summary focuses on the regulatory and legal fallout following a settlement where Health Net Federal Services (HNFS) and Centene Corporation paid \$11 million for cybersecurity failures. While not detailing a single new regulation, it highlights the enforcement of existing expectations related to cybersecurity in federal contracts, particularly concerning the protection of sensitive government data and the implications of making false certifications of compliance.
## Key Details
- Issuing Authority: U.S. Government (implied resolution via Department of Justice/agencies overseeing federal contracts).
- Effective Date: The failures leading to the settlement occurred prior to February 19, 2025. Enforcement actions are continuous.
- Jurisdiction: United States federal contracting environment.
- Status: Enforcement action/Settlement (Final).
## Requirements
### Mandatory Requirements
1. **Vulnerability Management:** Organizations must actively manage and remediate known system vulnerabilities. This includes timely installation of critical security updates/patches.
2. **Technology Lifecycle Management:** Prohibit the use of end-of-life (unsupported) technology that exposes systems to unpatched vulnerabilities.
3. **Password Security:** Implement strong and effective password security policies to mitigate the risk of credential theft and unauthorized access.
4. **Compliance Certification Accuracy:** Organizations must ensure that certifications of cybersecurity compliance associated with federal contracts are accurate and truthful.
### Recommended Practices
1. Strengthen cybersecurity frameworks beyond minimum contractual requirements to proactively protect sensitive government data.
2. Take proactive steps to protect sensitive information from evolving cyber threats.
## Affected Organizations
- Industries: Organizations acting as federal contractors handling sensitive government data.
- Organization Size: Not explicitly stated, but applies to any contracted entity involved in the relevant agreements.
- Geographic Scope: Primarily entities operating under U.S. federal contracts.
## Compliance Timeline
- **Date:** N/A (Past failures led to settlement).
- **Final deadline:** Ongoing adherence to contractual cybersecurity obligations is continuously required for all contractors. Failure to maintain compliance risks further enforcement.
## Implementation Guidance
### Assessment Phase
- Review current IT infrastructure to identify and inventory all end-of-life or unsupported technologies being used.
- Audit patch management processes to ensure security updates (especially critical ones) are installed in a timely manner according to established SLAs or industry best practices.
### Implementation Phase
- Establish and enforce robust, modern password policies.
- Develop and implement a rigorous program for tracking and deprecating unsupported software and hardware.
### Validation Phase
- Conduct penetration testing and vulnerability scanning to verify that patches have been successfully applied and configurations are secure.
- Obtain and maintain objective evidence demonstrating timely patching cycles, especially for critical vulnerabilities.
## Technical Requirements
The specific weaknesses cited imply mandatory requirements for:
1. **Timely Patch Deployment:** Near-immediate deployment of critical security updates.
2. **Inventory Control:** Maintaining an accurate, up-to-date inventory of all supported hardware and software.
3. **Access Control:** Robust authentication mechanisms, including strong password requirements.
## Penalties & Enforcement
- **Fines:** The settlement resulted in an \$11 million payout.
- **Other Consequences:** Risk to reputation, potential loss of current and future government contracts, and further legal action under statutes like the False Claims Act.
- **Enforcement:** Agencies such as the DOJ and DoD actively enforce these standards, utilizing tools like the False Claims Act against contractors who falsely certify compliance.
## Related Standards
- **General Cybersecurity Best Practices:** The incident underscores the necessity of adhering to established cybersecurity standards necessary to manage federal data risks.
- **False Claims Act:** This legal framework serves as a major enforcement tool, penalizing contractors for misrepresenting their compliance posture.
## Resources
- Official Documentation: Specific settlement documentation (requires external legal research citing the Health Net/Centene case).
- Guidance Documents: Relevant federal contract clauses (e.g., DFARS clauses, FAR requirements) pertaining to protecting Controlled Unclassified Information (CUI).
- Tools: Standard vulnerability management and patch management tools.
## Practical Recommendations
- **Audit Compliance Statements:** Before submitting any document certifying cybersecurity compliance for a government contract, ensure internal controls demonstrably meet the asserted standards.
- **Prioritize Patching:** Create an aggressive, auditable schedule for deploying critical security patches, prioritizing systems handling sensitive data.
- **Eliminate EOL Tech:** Immediately devise a migration or retirement plan for any system running unsupported software or hardware.