On February 18, 2025, the U.S. Department of Justice announced that it reached an $11 million settlement with healthcare support services provider, Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, to resolve allegations that HNFS misrepresented its compliance with the cybersecurity requirements of a federal contract to provide health benefits to service members and their families. According to the DOJ, Centene assumed the liabilities of HNFS in 2016 when it acquired all issued and outstanding shares of Health Net Inc., HNFS’ corporate parent.
Federal prosecutors allege that between 2015 and 1018, HNFS failed to meet the cybersecurity requirements in its contract with the U.S. Department of Defense, in which the company was obligated to provide information management and information technology support for the Defense Health Agency’s (“DHA”) TRICARE health benefits program. While HNFS certified its compliance in annual reports provided to the DHA, the company allegedly failed to timely scan for vulnerabilities and resolve identified security flaws in its networks and systems, as contractually required. HNFS also allegedly ignored reports from third-party auditors and its internal audit department regarding cybersecurity risks on certain networks and systems, including those related to HNFS’ asset management, access controls, firewalls, and password policies.
According to the settlement agreement, HNFS and Centene deny the government’s allegations and agreed to collectively pay $11,253,400 to avoid the uncertainty, inconvenience, and expense of protracted litigation.