Rules Navigator

DOJ fines healthcare services contractor $11m over false cybersecurity claims

US service members speak to doctor
Photo: Getty Images

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Sensitive information about healthcare for US service members said to have been compromised.

The Department of Justice has announced settled charges with Centene Corporation and its subsidiary Health Net Federal Services Inc. (HNFS).

The companies will pay a combined $11,253,400 over allegations that HNFS falsely certified compliance with cybersecurity requirements in a contract to administer the Defense Health Agency’s TRICARE benefits program, which is utilized by US service members and their families.

HNFS managed TRICARE services that included administrative support, provider network development, referral management, and claims processing.

The charges were brought under the False Claims Act (FCA), which penalizes knowingly submitting false claims to the government. Breach of the FCA leads to liability “for three times the government’s damages plus a penalty that is linked to inflation.”

False assurances

HNFS’s contract with the DHS mandated adhering to certain privacy and cybersecurity standards, including those listed in C.F.R. § 252.204-7012 and in the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53). According to the contract, HFNS was obligated to submit annual reports certifying its compliance with the NIST security controls.

But according to the settlement agreement, between 2015 and 2018, HNFS failed to scan for vulnerabilities and remedy security flaws, and repeatedly ignored concerns raised by both third-party and internal auditors. HNFS also falsely attested compliance with “at least seven” of the NIST security controls.

By submitting claims for reimbursement on its contract, and for falsely representing the results of the annual NIST compliance certifications, HNFS violated the FCA, the settlement agreement stated.

Neglected networks and systems included:

  • asset management;
  • access controls;
  • configuration settings;
  • firewall implementation;
  • maintenance of up-to-date hardware and software;
  • patch management, including security updates;
  • timely scanning for vulnerabilities;
  • password policies.

HNFS and Centene deny that data was ever exfiltrated or compromised due to the security deficiencies. The settlement agreement neither confirms nor disputes that claim.

“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” said Acting US Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”

, , , ,

You may also like