Well being Web Federal Companies (HNFS) and its guardian firm, Centene Company, have agreed to pay $11,253,400 to settle allegations that HNFS falsely licensed compliance with cybersecurity necessities beneath its Protection Well being Company (DHA) TRICARE contract.
The U.S. authorities contracted HNFS to offer managed healthcare help companies for TRICARE’s North area, overlaying 22 states.
The contract required compliance with cybersecurity requirements, particularly 48 C.F.R. § 252.204-7012 and 51 safety controls from NIST Particular Publication 800-53 (Safety and Privateness Controls for Federal Data Techniques and Organizations).
In accordance with a U.S. Division of Justice announcement, between 2015 and 2018, HNFS allegedly didn’t implement the required cybersecurity measures whereas administering well being advantages for American navy service members and their households.
On the similar time, the DOJ claims HNFS falsely licensed compliance of their reviews to the DHA, making it seem as in the event that they adequately safeguarded individuals’s knowledge, though they did not.
Particularly, HNFS has didn’t take the next measures:
- Scan for n-day vulnerabilities in its techniques and apply fixes in a well timed method.
- Think about the findings of auditing reviews highlighting cybersecurity dangers and take motion to remediate them.
- Implement industry-standard property administration, entry controls, firewall protections, and patch administration.
- Keep away from utilizing outdated {hardware} and software program.
- Observe robust account password insurance policies.
Within the settlement settlement doc, the U.S. state explains that HNFS falsely attested compliance on no less than three events: on November 17, 2015, on February 26, 2016, and on February 24, 2017.
HNFS and Centene deny all allegations and preserve that no knowledge breaches or lack of servicemember info occurred. Nevertheless, they nonetheless agreed to pay $11,253,400 to settle the allegations.
The authorized doc clarifies that the settlement doesn’t shield HNFS and Centene from felony legal responsibility if further proof, administrative penalties, or civil actions emerge sooner or later.