Healthcare outfit that served military personnel settles allegations it faked infosec compliance for $11M

An alleged security SNAFU that occurred during the Obama administration has finally been settled under the second Trump administration.

The case concerns Health Net Federal Services (HNFS), an outfit that provides healthcare services to military personnel, and its parent company Centene Corporation.

The orgs will pay $11,253,400 to settle claims that HNFS falsely certified compliance with certain infosec requirements in a contract with the Department of Defense a decade ago.

In agreeing to the settlement, neither Centene Corporation nor HNFS admit any guilt and, per usual with these types of court resolutions, there is "no determination of liability."

Also per usual: the $11 million financial penalty isn't even a slap on the wrist for Centene Corporation, which raked in $163.1 billion of revenue in its most recent full financial year.

Centene Corporation did not immediately respond to The Register's request for comment. We will update this story if the healthcare giant sends us substantial info.

The settlement was made in relation to HNFS’s administration of the Defense Health Agency's (DHA) TRICARE health benefits program — the health plan for US military servicemembers and their families — across all or part of 22 American states, covering millions of people and their very sensitive data.

Under the government contract, HNFS was required to "adhere to certain privacy standards and cybersecurity requirements," according to court documents.

Those standards included scanning for known vulnerabilities and patching security flaws in a timely manner, plus submitting an annual report to the DHA that certified compliance with certain infosec standards and privacy controls.

However, according to the DOJ, between 2015 and 2018 HNFS falsely certified compliance with those controls and ignored reports from third-party security auditors.

Plus, we're told, the healthcare provider allegedly ignored its own internal audit of cybersecurity risks related to asset management, access controls, configuration settings, firewalls, end-of-life hardware and software in use, patch management, vulnerability scanning, and password policies.

This potentially put millions of data describing military personnel and their families' personal and health-related info at risk.

The Feds do not allege that any protected data was stolen or lost as a result of the apparent security oversights.

• Health Net's missing drive could cost it millions
• Cyberattack downs pharmacies across America
• Cyberattack on NHS causes hospitals to miss cancer care targets
• Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

That outcome is very fortunate. Indeed, this matter could have ended badly for everyone involved, considering that healthcare data is a top target for ransomware crews and other cybercriminals looking to steal sensitive info and extort corporations to prevent its release.

"Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance," said Acting US Attorney Michele Beckwith for the Eastern District of California.

"When HNFS failed to uphold its cybersecurity obligations, it didn't just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation," Beckwith added in a Justice Department statement.

Health Net, another Centene Corporation-owned health insurance company, was among the providers whose services were disrupted during last year's Change Healthcare ransomware attack. That massive digital intrusion downed systems at thousands of pharmacies and hospitals across the US and compromised protected health information belonging to at least 100 million individuals. ®