Managed healthcare defense contractor to pay $11 million over alleged cyber failings

A federal contractor that supports the U.S. military’s healthcare system will pay $11 million to the government to settle allegations that it lied about meeting federal cybersecurity standards — the latest penalty levied on a contractor as part of a 2021 initiative to root out cyber-related fraud.  

Health Net Federal Services (HNFS) and its parent company Centene Corporation agreed to pay the $11.2 million fine, although they dispute some of the allegations.

According to prosecutors, between 2015 and 2018 the company — which administered the Tricare healthcare program for 22 states — “falsely certified compliance” with certain cybersecurity controls required of federal contractors. The company allegedly failed to scan for known vulnerabilities in a timely fashion and to address security flaws on its networks.

The Justice Department also accused the company of ignoring internal and third-party reports about risks on its networks related to things like patch management, password policies, end-of-life hardware and software and configuration settings.

The settlement agreement is part of the DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, which puts a spotlight on federal contractors to ensure they are adhering to cybersecurity rules. It falls under the auspices of an 1863 law, the False Claims Act, that created civil penalties for misrepresenting the quality of services provided to the government.

In June 2024, the DOJ reached an $11.3 million agreement with the federal contractors Guidehouse Inc. and Nan McKay and Associates for failing to properly test the cybersecurity of a system for providing financial assistance in New York during the COVID-19 pandemic. 

Last October, Penn State University was fined $1.25 million for failing to adhere to security standards and for not addressing the issues after they were identified, and in August the U.S. filed suit against Georgia Institute of Technology after a whistleblower complaint. 

A DOJ official previously told Recorded Future News that the initiative was part of the Biden administration’s efforts at “incentivizing and shaping the market forces” behind companies’ cybersecurity decisions. 

“Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said acting Assistant Attorney General Brett Shumate in a statement about the settlement with HNFS. 

“We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”