DoJ $11mn Cybersecurity Violations

Published on: Feb 19, 2025

On Feb. 18, DoJ issued settlement with Health Net Federal Services.

  • DoJ issued $11mn settlement agreement with Health Net Federal Services, LLC (HNFS) and parent, Centene Corporation, to resolve False claims act cybersecurity violations.
  • In 2016, Centene acquired all issued, outstanding shares of HNFS, assumed liabilities.
  • Alleged Violations
  • Between 2015 and 2018, HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to Defense Health Agency (DHA).
  • Annual reports required under its contract to administer the TRICARE program.
  • HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with System Security Plan and response times.
  • Firm also ignored reports from third-party security auditors and internal audit department of cybersecurity risks on networks and systems re asset management.
  • And, access controls, configuration settings, firewalls, end-of-life hardware and software in use, patch management, vulnerability scanning, and password policies.
  • Violated false claims (31 USC 3729), Program fraud civil remedies act (31 USC 3801).
  • Enforcement
  • HNFS and Centene to pay $11,253,400; $5,626,700 is restitution plus 4% interest.
Regulators
DoJ
Entity Types
Corp
Reference
PR 25-169, LR, 2/18/2025; Citation: *31 USC* 3729, 3801;
Functions
Compliance; Cyber; Financial; Fraud; Legal; Reporting
Countries
United States of America
Category
Central Government
State
N/A
Products
Corporate
Rule Type
Enforcement
Regions
Am
Rule Date
Feb 18, 2025
Effective Date
Feb 18, 2025
Rule ID
243985
Linked to
N/A
Reg. Last Update
Feb 18, 2025
Report Section
AML & Enforcement