On February 18, the government announced that the Rancho Cordova, California-based Health Net Federal Services Inc. (HNFS) and its parent company, St. Louis’s Centene Corporation, will pay $11,253,400 to resolve claims that HNFS falsely certified compliance with cybersecurity requirements in a U.S. Department of Defense (DoD) contract to administer the Defense Health Agency’s (DHA) TRICARE health benefits program for service members and their families.

Acting U.S. Attorney Michele Beckwith for the Eastern District of California said, “Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance.” She elaborated that “when HNFS failed to uphold its cybersecurity obligations” it breached its government contract and “its duty to the people who sacrifice so much in defense of our nation.”

The settlement resolves allegations from 2015 to 2018. HNFS did not meet specific cybersecurity controls and falsely certified compliance with them in annual reports to the DHA, as required under contract to administer the TRICARE program.

HNFS purportedly failed to timely scan for known vulnerabilities and to correct security flaws on its networks and systems, requirements in its System Security Plan and the response times established by HNFS. The US also alleges that HNFS disregarded reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’s networks and systems related to the following: asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (such as installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies.

While the government did not share if this case was brought to them by a whistleblower, under the qui tam provisions of the False Claims Act, private individuals can bring lawsuits on behalf of the United States against those that defraud the government. In return, successful whistleblowers can recover up to 30% of any government recovery.

Constantine Cannon whistleblower partner Alysia Solow commented: “Companies that manage confidential government information are required to fulfill their contractual responsibilities to preserve and protect such data, but we are increasingly seeing cases where this is not happening. The number of cybersecurity matters that we are evaluating under the False Claims Act and other government whistleblower programs are on the rise.”

If you would like more information on what it means to be a whistleblower or think you may have information relating to False Claims Act violations, healthcare fraud, or government contract fraud, please contact us so we can connect you with a member of the Constantine Cannon whistleblower lawyer team for a free and confidential consultation.

Read Health Net Federal Services, LLC and Centene Corporation Agree to Settle False Claims Act Violations Related to Cybersecurity, Paying Over $11M at constantinecannon.com