Health Net Federal Services (HNFS), a defense contractor supporting the U.S. military’s healthcare system, has agreed to pay a hefty $11.2 million settlement. The settlement resolves allegations that between 2015 and 2018, the company falsely certified its compliance with federal cybersecurity standards. These included failures to address vulnerabilities and security flaws on its network. As part of the Department of Justice’s Civil Cyber-Fraud Initiative, the settlement is an ongoing effort to hold contractors accountable for meeting cybersecurity requirements, particularly those handling sensitive government information.
The company, which administered the Tricare program for 22 states, disputed some of the claims but ultimately agreed to the fine. Prosecutors claimed that HNFS ignored internal and third-party reports that highlighted various cybersecurity risks, including issues with patch management, outdated software, and improper password policies. These lapses are said to have left their networks exposed, compromising sensitive data related to U.S. servicemembers and their families.
The U.S. Justice Department’s Civil Cyber-Fraud Initiative, launched in October 2021, has been focusing on federal contractors to ensure they meet cybersecurity standards. This initiative is particularly vital, given the ongoing risks to national security and personal data. The initiative is tied to the False Claims Act, which holds companies accountable for misrepresenting their services, especially in relation to cybersecurity. Previous settlements under this initiative, including those with Guidehouse Inc. and Penn State University, further emphasize the government’s determination to enforce cybersecurity rules within government contracts.
This settlement signals the Biden administration’s broader effort to incentivize companies to strengthen their cybersecurity practices. As Brett Shumate, acting Assistant Attorney General, emphasized, companies with access to sensitive government data must fulfill their contractual obligations to safeguard it. The Health Net settlement demonstrates the growing legal and financial pressure on contractors who fail to uphold cybersecurity standards, with future actions likely to follow against other companies that neglect security practices.
