DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations

Posted on February 18, 2025February 19, 2025 by Dissent

From the U.S. Department of Justice, February 18, 2025

Note: View the settlement agreement here.

Health Net Federal Services Inc. (HNFS) of Rancho Cordova, California and its corporate parent, St. Louis-based Centene Corporation, have agreed to pay $11,253,400 to resolve claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (DoD) to administer the Defense Health Agency’s (DHA) TRICARE health benefits program for servicemembers and their families. In 2016, Centene acquired all of the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS.

“Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” said Acting U.S. Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”

“This settlement reflects the significance of protecting TRICARE, and the service members and their families who depend on the health care program, from risks of exploitation,” said Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General. “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

The settlement resolves allegations that, between 2015 and 2018, HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA that were required under its contract to administer the TRICARE program. The United States alleged that HNFS failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems, in accordance with its System Security Plan and the response times HNFS had established. Furthermore, the United States alleged HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies.

The Civil Division’s Commercial Litigation Branch (Fraud Section) and the U.S. Attorney’s Office for the Eastern District of California handled the matter, with assistance from DoD’s Office of Inspector General, including the DCIS, Cyber Field Office Western Region and the Inspector General’s Office of Audits, Cyberspace Operations Directorate, and DoD’s Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center.

Trial Attorneys Christopher Wilson, Laura Hill, and Jonathan Thrope of the Civil Division’s Fraud Section and Assistant U.S. Attorney Steven Tennyson for the Eastern District of California represented the United States in this matter.

The claims asserted against defendants are allegations only; there has been no determination of liability.

Updated February 18, 2025
Category: Health DataU.S.

Post navigation

← Deal leaks: data protection during M&A
$10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.