Cybersecurity compliance isn’t just a box to check—it’s a commitment to protecting sensitive data. But for Health Net Federal Services (HNFS), that commitment fell short.
Designed by Freepik
Now, HNFS, a DoD contractor entrusted with administering TRICARE health benefits for millions of servicemembers and their families, and its parent company, Centene Corporation, have agreed to pay $11.2 million to settle allegations that they falsely certified compliance with federal cybersecurity requirements—while failing to meet critical security standards.
A Breach of Trust
Between 2015 and 2018, HNFS was responsible for securing highly sensitive healthcare data under its contract with the Defense Health Agency (DHA). The company was required to comply with strict cybersecurity controls and certify its adherence in annual reports to the DoD.
However, according to the U.S. Department of Justice (DoJ), those certifications were false.
HNFS allegedly:
- Skipped crucial vulnerability scans and failed to patch known security flaws
- Ignored internal and third-party audit warnings about cybersecurity risks
- Failed to maintain basic security hygiene—including asset management, access controls, firewall configurations, and password policies
This wasn’t a minor paperwork error. These lapses could have exposed the personal health data of U.S. servicemembers and their families—data that, in the wrong hands, could have severe consequences.
A Costly Wake-Up Call
Rather than admitting liability, HNFS and Centene agreed to settle the allegations for $11,253,400. The message from the Justice Department is clear: cybersecurity violations in federal contracts won’t be ignored.
“Companies that hold sensitive government information… must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate. “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors.”
The implications extend beyond HNFS. This case reinforces that compliance theater—the act of appearing secure without actually implementing security—has real consequences.
Security is More Than a Signed Document
At Centraleyes, we believe security should be more than a signed document—it should be a continuous, real-time effort. This case serves as a reminder that organizations need to go beyond the bare minimum.
Proactive risk management, automated compliance tracking, and real security controls aren’t just best practices—they’re essential for any company handling sensitive data.
Don’t wait for a compliance failure to become a multi-million-dollar problem. If you’re serious about security, let’s discuss how Centraleyes can help your organization.
