HIPAA Compliance Training and Certification

HIPAA News

Health Net Federal Services to Pay $11.23M to Settle Cybersecurity Compliance Issues

by | Mar 2, 2025

The U.S. Department of Justice has made public the decision of Health Net Federal Services (HNFS) and Centene Corporation, its parent company, to pay a financial penalty of $11,253,400 to resolve the issues that HNFS has faked compliance certification with the cybersecurity requirements regarding its Defense Health Agency (DHA) contract to handle the TRICARE healthcare program.

The U.S. Attorney’s Office for the Eastern District of California and the Civil Division’s Commercial Litigation Branch (Fraud Section) investigated the military health benefits administrator. The investigation showed that HNFS failed to implement the required cybersecurity controls under its DHA contract from 2015 to 2018. Despite that, HNFS certified in several yearly reports that it had implemented the controls. As per the contract, HNFS must comply with 48 C.F.R. § 252.204-7012 cybersecurity requirements and implement 51 security controls as stated in the Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53).

HNFS was unable to check known vulnerabilities and control vulnerabilities promptly according to its Systems Security Plan and the established response times. HNFS is likewise purported to have disregarded the reports submitted by the internal audit department and third-party security auditors. Security problems discovered included issues with its asset management system, configuration settings, access controls, firewalls, patch management, end-of-life software and hardware, vulnerability checks, and password guidelines.

The HNFS yearly reports showed complete compliance with all cybersecurity conditions. HNFS submitted compliance certifications 3 times — in November 2015, February 2016, and February 2017. The inability to handle security problems possibly endangered the sensitive data of service members and their families.

HNFS and its parent company assert that there were no vulnerabilities exploited. There was no data breach and the data of service members were not compromised. All accusations were rejected; nevertheless, HNFS agreed to a settlement paying a financial penalty to prevent the delay, uncertainty, hassle, and cost of prolonged litigation. There was no admission of liability or wrongdoing. HNFS and Centene are also not protected from other allegations, civil actions, or administrative penalties in the future.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy