Well being Web Federal Companies (HNFS) and its mum or dad firm, Centene Company, have agreed to pay $11,253,400 to settle allegations that HNFS falsely licensed compliance with cybersecurity necessities beneath its Protection Well being Company (DHA) TRICARE contract.
The U.S. authorities contracted HNFS to supply managed healthcare assist providers for TRICARE’s North area, protecting 22 states.
The contract required compliance with cybersecurity requirements, particularly 48 C.F.R. § 252.204-7012 and 51 safety controls from NIST Particular Publication 800-53 (Safety and Privateness Controls for Federal Info Methods and Organizations).
In keeping with a U.S. Division of Justice announcement, between 2015 and 2018, HNFS allegedly didn’t implement the required cybersecurity measures whereas administering well being advantages for American navy service members and their households.
On the identical time, the DOJ claims HNFS falsely licensed compliance of their studies to the DHA, making it seem as in the event that they adequately safeguarded folks’s knowledge, though they did not.
Particularly, HNFS has didn’t take the next measures:
- Scan for n-day vulnerabilities in its programs and apply fixes in a well timed method.
- Contemplate the findings of auditing studies highlighting cybersecurity dangers and take motion to remediate them.
- Implement industry-standard property administration, entry controls, firewall protections, and patch administration.
- Keep away from utilizing outdated {hardware} and software program.
- Comply with robust account password insurance policies.
Within the settlement settlement doc, the U.S. state explains that HNFS falsely attested compliance on a minimum of three events: on November 17, 2015, on February 26, 2016, and on February 24, 2017.
HNFS and Centene deny all allegations and preserve that no knowledge breaches or lack of servicemember info occurred. Nonetheless, they nonetheless agreed to pay $11,253,400 to settle the allegations.
The authorized doc clarifies that the settlement doesn’t defend HNFS and Centene from felony legal responsibility if extra proof, administrative penalties, or civil actions emerge sooner or later.
