$11.2M DOJ Settlement Highlights Critical Importance of Cybersecurity Compliance

In a significant enforcement action announced this February, Health Net Federal Services (HNFS) and its parent company Centene Corporation have agreed to pay $11.23 million to settle allegations of cybersecurity compliance failures in their management of sensitive military healthcare data.

 The Case Against Health Net Federal Services

The Department of Justice (DOJ) investigation revealed that between 2015 and 2018, HNFS, while contracted to administer the TRICARE health coverage program for active duty military personnel, retirees, and their families, failed to implement required cybersecurity controls while falsely certifying compliance in their annual reports.

The specific allegations include:

• Failure to scan for and remediate known vulnerabilities within established timeframes
• Ignoring security risk reports from both third-party auditors and internal audit teams
• Inadequate implementation of basic security measures including:
  • Asset management
  • Access controls
  • Firewall protections
  • Configuration settings
  • Patch management
  • Password policies
  • End-of-life hardware and software management

 The Regulatory Framework

The contract required HNFS to comply with federal cybersecurity standards, specifically 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53. Despite these clear requirements, HNFS submitted false compliance certifications on at least three occasions: November 2015, February 2016, and February 2017.

“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” stated Acting U.S. Attorney Michele Beckwith for the Eastern District of California.

 Impact and Resolution

While HNFS and Centene maintain that no data breaches occurred and no service member information was compromised, the settlement demonstrates the government’s serious approach to enforcing cybersecurity compliance requirements. The agreement does not constitute an admission of wrongdoing, but it also doesn’t protect the companies from potential future claims or administrative penalties.

 How CinchOps Can Help

This case underscores the critical importance of maintaining robust cybersecurity compliance programs. CinchOps offers comprehensive solutions to help organizations avoid similar costly penalties by:

1. Providing continuous compliance monitoring and automated security controls verification
2. Implementing real-time vulnerability scanning and remediation tracking
3. Establishing automated audit trails for regulatory reporting
4. Maintaining up-to-date asset inventory and lifecycle management
5. Ensuring proper configuration management and access control implementation

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact CinchOps today to learn how we can help your organization maintain rigorous cybersecurity standards and avoid costly penalties while protecting sensitive data.