Skip to content
Talk to an Advisor

Health Net Federal Services Inc.'s False Claims Settlement Totals $11.2M

HNFS 1

Industry

Technology

At A Glance

On February 18, 2025, Health Net Federal Services Inc. (HNFS) reached a $11.2 million settlement agreement to resolve allegations about falsely certifying compliance with DoD cybersecurity requirements.

Allegations

HNFS administers the Defense Health Agency's TRICARE health benefits system for servicemembers and their families. The allegations state that, between 2015 and 2018, HNFS failed to scan for and remedy cybersecurity deficiencies and falsely certified compliance in annual reports to the Defense Health Agency.

$11.2M
Settlement payout
Failed
to follow controls in SSP
Falsely
certified compliance to DHA
Ignored
internal and external auditors

DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.

Kenneth DeChellis

Cyber Field Office Special Agent in Charge, Defense Criminal Investigative Services (DCIS)

HNFS 2

Background

Health Net Federal Services Inc. is contracted by the United States Department of Defense to administer the Defense Health Agency's health benefit program, TRICARE. The program is for servicemembers and their families.

Defense contractors are required to meet, and affirm compliance to, stringent cybersecurity regulatory standards.  

Key Allegations

HNFS is alleged to have violated the False Claims Act by affirming compliance to DoD-specific cybersecurity requirements while knowingly failing to scan for and address vulnerabilities and security deficiencies in its networks and systems. 

The United States further alleges that HNFS ignored reports from both internal and third-party security auditors of existing cybersecurity risks, including: 

  • Asset management
  • Access controls
  • Configuration settings
  • Firewalls
  • End-of-life hardware and software
  • Patch management
  • Vulnerability scanning
  • Password policies

These allegations violated HNFS' own System Security Plan (SSP) as well as the regulatory standards HNFS was contractually obligated to implement in doing business with the DoD.

Takeaways for Defense Contractors

In the wake of the case against Penn State, Georgia Tech, and the numerous, highly publicized hacking campaigns, the Department of Justice is making it clear that meeting and maintaining robust cybersecurity practices is the expectation for contractors within the Defense Industrial Base.

The HNFS settlement serves as a warning to defense contractors that:

A. It is essential to have buy-in from all levels of your organization to support and nurture a company culture around cybersecurity best practices.

B. The Department of Justice is willing and ready support the enforcement of cybersecurity compliance regulations.

C. Although the regulatory landscape is complex and constantly evolving, there is an expectation for businesses of all sizes to achieve compliance.

 

Disclaimer: The information presented in this case study is based on publicly available data and is intended for educational purposes only. The allegations discussed are yet to be proven in a court of law, and there has been no determination of liability.

Download Today

CONVINCE YOUR BOSS CMMC COMPLIANCE CAN’T WAIT (1)