Full Report
Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract. [...]
Analysis Summary
# Incident Report: False Cybersecurity Compliance Certification by Healthcare Contractor
## Executive Summary
Health Net Federal Services (HNFS) and its parent company, Centene Corporation, agreed to pay an $11.25 million settlement to resolve allegations that HNFS falsely certified compliance with strict cybersecurity requirements mandated under its Defense Health Agency (DHA) TRICARE contract between 2015 and 2018. The core issue was the failure to implement mandated controls, including timely patching, asset management, access controls, and adherence to NIST SP 800-53, despite repeated certifications of compliance. No data breach was publicly confirmed, but the regulatory impact required a substantial financial resolution.
## Incident Details
- **Discovery Date:** Not explicitly stated; implied discovery through reports or investigation preceding the settlement (Post-2018).
- **Incident Date:** Alleged failures occurred between 2015 and 2018.
- **Affected Organization:** Health Net Federal Services (HNFS) and Centene Corporation.
- **Sector:** Healthcare/Government Contracting (Managed Healthcare Support Services for TRICARE).
- **Geography:** United States (Serving TRICARE's North region across 22 states).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing between 2015 and 2018.
- **Vector:** Allegedly through failure to maintain required security controls, leading to an improperly secured environment susceptible to compromise (though no breach was confirmed).
- **Details:** Contractually required compliance with 48 C.F.R. ยง 252.204-7012 and 51 controls from NIST SP 800-53 (R4, Upd3).
### Lateral Movement
- Not detailed in the context provided, as the incident focuses on systemic compliance failures rather than a specific intrusion event.
### Data Exfiltration/Impact
- **Impact:** Allegedly unsecured collection and administration of military service members' and their families' health benefits data due to insufficient security posture. No confirmed data exfiltration/loss was reported by the settling parties.
### Detection & Response
- **Detection:** Investigation leading to U.S. Department of Justice (DOJ) action (post-2018).
- **Response Actions:** HNFS and Centene settled the allegations by agreeing to pay $11,253,400. Attestations of compliance were falsely made on: Nov 17, 2015; Feb 26, 2016; and Feb 24, 2017.
## Attack Methodology
*Note: Since this report details compliance failures rather than a known attack chain, the methodology reflects the *inferred* gaps that could lead to compromise.*
- **Initial Access:** Not applicable (Focus on non-compliance rather than exploitation path).
- **Persistence:** Not applicable.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Failure to deploy basic defensive measures (e.g., failing to remediate known vulnerabilities, ignoring audit findings).
- **Credential Access:** Failure to enforce strong account password policies.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable (However, data regarding service members was being handled while controls were allegedly weak).
- **Exfiltration:** Not applicable (No breach confirmed).
- **Impact:** Regulatory/Contractual violation and creation of significant risk exposure due to non-compliance.
## Impact Assessment
- **Financial:** $11,253,400 settlement paid.
- **Data Breach:** No confirmed data breach or loss of servicemember information occurred, according to the involved parties.
- **Operational:** Potential operational risk due to outdated hardware/software identified.
- **Reputational:** Negative publicity resulting from a federal settlement over cybersecurity negligence.
## Indicators of Compromise
- **Network Indicators:** Not provided (Defanged URLs/IPs are not relevant as this was a compliance failure investigation).
- **File Indicators:** N/A.
- **Behavioral Indicators:** Evidence of outdated hardware/software usage; failure to promptly scan for and patch (n-day) vulnerabilities; ignoring findings in prior audit reports.
## Response Actions
- **Containment measures:** Not reported, as the action was a civil settlement related to past failures.
- **Eradication steps:** Not reported in the context of a specific breach cleanup.
- **Recovery actions:** Payment of \$11,253,400 settlement.
## Lessons Learned
- **Key Takeaways:** Certifying compliance with stringent federal cybersecurity standards (like NIST SP 800-53) requires substantive implementation, not just documentation. Failure to maintain basic security hygiene (patching, asset management, access control) exposes contractors to severe financial and legal consequences under regulatory frameworks like defense contracts.
- **What could have been done better:** Implementing required security controls (patch management, access controls, modern hardware/software) when they were contractually mandated, and promptly remediating risks identified in internal audits.
## Recommendations
- **Prevention measures for similar incidents:**
1. Establish a continuous compliance monitoring program to verify that security controls are active and effective, rather than relying solely on point-in-time attestations.
2. Mandate an aggressive patch management schedule to address n-day vulnerabilities immediately.
3. Enforce strict asset lifecycle management to eliminate outdated and unsupported hardware/software.
4. Ensure all audit findings related to cybersecurity risk are triaged, prioritized, and remediated within defined service-level objectives.