Health Net Federal Services (HNFS) and Centene Corporation have reached an $11.25 million settlement with the U.S. government over allegations of falsely certifying cybersecurity compliance in their TRICARE contract. The company, responsible for managing healthcare services across 22 states in TRICARE’s North region, reportedly failed to implement mandatory security measures while serving military personnel and their families.

Between 2015 and 2018, HNFS allegedly violated federal cybersecurity requirements outlined in 48 C.F.R. § 252.204-7012 and NIST Special Publication 800-53. The Department of Justice identified several critical security lapses, including:

– Inadequate vulnerability scanning and patch management
– Failure to address identified security risks
– Insufficient implementation of basic security controls
– Use of outdated systems
– Weak password policies

The company submitted false compliance certifications on three documented occasions: November 2015, February 2016, and February 2017. While HNFS and Centene deny all allegations and maintain no data breaches occurred, they agreed to the settlement. The agreement does not protect the companies from potential future criminal liability or additional civil actions.

The case highlights the growing emphasis on cybersecurity compliance in federal contracts and the serious consequences of misrepresenting security measures in government healthcare services.