US healthcare org pays $11M settlement over alleged cybersecurity lapses

Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract. The U.S. government contracted HNFS to provide managed healthcare support services for TRICARE's North region, covering 22 states. The contract required compliance with cybersecurity standards, specifically 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations). According to a U.S. Department of Justice announcement, between 2015 and 2018, HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. At the same time, the DOJ claims HNFS falsely certified compliance in their reports to the DHA, making it appear as ... Read full article.