Military Health Firm Pays $11.2M to Settle Cyber Fraud Case

A military health benefits administrator has agreed to pay $11.2 million to settle allegations that the company falsely certified compliance with cybersecurity requirements for three years in a contract with the U.S. Department of Defense.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

The U.S. Department of Justice on Tuesday said its settlement with Health Net Federal Services and parent company Centene resolves allegations that between 2015 and 2018, the company failed to implement certain cybersecurity controls and falsely certified compliance with them in three annual reports to the U.S. Department of Defense.

The requirements were part of a HNFS contract to administer the DoD’s Defense Health Agency’s TRICARE health benefits program for military service members and their families.

Centene acquired California-based Health Net Inc. – HNFS’s previous corporate parent – in 2016 and assumed the liabilities of HNFS, the justice department said.

“When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation,” said Michele Beckwith, acting U.S. attorney for the eastern district of California.

Companies that handle and maintain sensitive government information must meet their contractual obligations to protect it, said Brett Shumate, acting assistant attorney and head of the justice department’s civil division. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Specifically, the justice department alleged that HNFS failed to meet several cybersecurity requirements in its DoD contract. That includes a failure to timely scan for known vulnerabilities and mitigate security flaws on its networks and systems.

The justice department also alleged HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to several critical areas. That includes asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management; vulnerability scanning; and password policies.

The U.S. government alleged HNFS falsely attested that it was in compliance with at least seven of the National Institute of Standards and Technology 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DoD’s Defense Health Agency in 2015, 2016 and 2017.

As a result, the prosecutors allege that HNFS’ claims for reimbursement on the contract were false, “regardless of whether there was any exfiltration or loss of service member data or protected health information.”

HNFS and Centene deny the U.S. government’s allegations, according to the settlement. The agreement, however, does not prevent the U.S. from pursuing other claims against HFNS, such as those involving tax violations or criminal liability.

The settlement was reached “to avoid the delay, uncertainty, inconvenience and expense of protracted litigation” involving the allegations by the U.S. government against HNFS and Centene, the agreement document said.

The justice department did not immediately respond to Information Security Media Group’s request for comment and additional details, including if federal prosecutors are pursuing potential criminal charges against HNFS or Centene related to the case.

“For more than 35 years, HNFS has faithfully supported service members and their families in the administration of TRICARE throughout the country, and protecting service member health information has been paramount,” an HNFS spokesperson told ISMG.

“While we deny the allegations made and note that no breach or loss of service member data occurred in this matter, we are pleased to bring a resolution to this dispute.”

HNFS stopped delivering healthcare services under its TRICARE West Region contract on Dec. 31, 2024. The successor TRICARE West Region contractor is TriWest Healthcare Alliance, the HNFS spokesperson said.

Concerning Failures

The most concerning failures alleged by the justice department against HNFS appear to be related to the lack of a vulnerability management program, which would include vulnerability scanning, patch management related to applications, operating systems, hardware support and firmware currency, said Scott Weinberg, CEO of managed services firm Neovera, which is not involved in the case.

“Access controls would also be an area of concern. These are foundational cybersecurity practices that protect sensitive data from known threats. Failure to timely scan for vulnerabilities and apply patches leaves systems exposed to well-documented exploits – this is applicable regardless of industry specifics,” he said.

Additionally, weak asset management and end-of-life hardware and software usage create significant security gaps, making it harder to maintain compliance and secure networks against evolving threats, he said. “The fact that third-party auditors and internal audit teams flagged these issues and they remained unaddressed raises greater concern about systemic deficiencies in governance and oversight.”

While not specific to government contractors only, if the DoJ allegations are accurate, “it sounds like HNFS was simply using audits and scans as a compliance checkbox,” said Jeremy Johnson, senior director, at Neovera.

“These programs essentially say, ‘Yes, we run scans. Yes, we get third-party audits.’ But for scans and audits to be effective, you must take the results and do something with them,” he said.

“Vulnerability and risk management is a process, with scanning, assessment and audits being only the beginning. These recommendations must be tracked and resolved for cybersecurity to be effective,” he said.

Other False Claims Cases

The settlement between the justice department and HNFS involving the cyber-related allegations is not unusual, said attorney Andrew Wirmani of the law firm Reese Marketos LLP, who is not involved in the HNFS case.

‘By my count, this is the ninth False Claims Act settlement based on alleged non-compliance with cybersecurity requirements in federal contracts and subcontracts,” said Wirmani, a former federal prosecutor.

“Under the Biden administration, these types of investigations were the core of their Civil Cyber Fraud Initiative,” he said. This settlement, the first under the new Trump administration, “indicates a continued commitment to holding companies that agree to safeguard information from cyberthreats in exchange for government dollars to account,” he said.

Such settlements have also involved federal contractors in industries outside of healthcare. That includes a $9 million FCA settlement in 2022 with Aerojet Rocketdyne Inc. based on similar theories of non-compliance with contractual promises involving cybersecurity, he said. “The vast majority of these types of cases are initiated by insider whistleblowers.”

It is unclear whether a whistleblower played a role in the HNFS case, but Wirmani said,”The lessons from these types of cases are clear.”

“The government takes cybersecurity requirements in its contracts seriously and won’t hesitate to hold non-compliant companies to account, even if there is no cyber breach,” he said.

“It is critical that companies understand the cybersecurity standards that are incorporated into federal contracts under regulations such as HIPAA, the Federal Information Security Management Act and NIST, and make the appropriate investments – both in terms of personnel and infrastructure – to remain compliant,” he said.

“Because these regulations are complex and evolving, companies need to pay particular attention to the feedback they are receiving from their CIOs and CSOs, especially if they are raising concerns about potential deficiencies.”