If you are in a hurry -> Lessons and Best Practices for CISOs

Introduction

In February 2025 the U.S. Department of Justice announced that Health Net Federal Services, LLC (HNFS) – a DoD contractor administering the TRICARE military health program – agreed to pay $11,253,400 to settle False Claims Act (FCA) allegations ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Centene Corporation (HNFS’s parent company) acquired HNFS in 2016 and assumed its liabilities ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

The settlement resolves claims that HNFS falsely certified compliance with required cybersecurity controls from 2015 through 2018, even though it allegedly failed to implement many of those controls ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

DOJ officials emphasized that contractors entrusted with sensitive service-member data must honor their security obligations ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

The case was prosecuted by the U.S. Attorney’s Office for the Eastern District of California and the DOJ Civil Division’s Fraud Section, with investigative support from DoD’s Office of Inspector General (including DCIS) and the Defense Contract Management Agency (DCMA) ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice) ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ).

Contractual Cybersecurity Requirements

HNFS’s TRICARE contract (the “T3” North Region managed care support contract) included strict cyber requirements.

Under the contract, HNFS was bound to “adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in NIST SP 800-53 (Rev. 4)”.

In practice this meant implementing dozens of NIST-based controls (comparable to those in NIST SP 800-171/800-53) to protect TRICARE data.

The Defense Health Agency (DHA) required HNFS to submit an annual “A-110 NIST Certification of Compliance” report, affirming that those specified controls were “implemented correctly, operating as intended, and support[ed] the security policies of the Defense Health Agency”.

In short, HNFS had to demonstrate each year that it had carried out the contract-mandated security controls.

Alleged Compliance Failures and False Certifications

DOJ alleged that from 2015–2018, HNFS did not meet the contract’s cybersecurity obligations but nonetheless certified that it had.

According to the complaint and settlement documents, HNFS failed to timely scan for known vulnerabilities and to remediate security flaws across its networks and systems ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Its System Security Plan set specific response times for fixing critical issues, but HNFS allegedly fell behind schedule.

Worse, multiple auditors – both external security firms and HNFS’s internal audit department – repeatedly flagged serious security weaknesses.

These included inadequate asset management and inventory (i.e. not knowing what hardware/software was on the network), weak access controls, insecure configuration settings, poor firewall management, continued use of end-of-life hardware and software, deficient patch management, missing vulnerability scans, and weak password policies ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Despite these gaps, HNFS’s annual DHA compliance reports falsely attested that it was in full compliance with the contract’s required controls.

In effect, HNFS was claiming the security program was fully implemented when it was not.

The United States contended that each invoice or reimbursement claim submitted under the contract was therefore “false,” because it was premised on a false certification of security compliance ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Notably, the FCA case did not hinge on an actual data breach; the government alleged the claims were false “regardless of whether there was any exfiltration or loss of servicemember data or protected health information”.

In other words, knowingly misrepresenting cybersecurity compliance was sufficient to violate the FCA, even if no breach had yet occurred.

Settlement and Enforcement Context

Under the settlement, HNFS and Centene will pay $11.2534 million to the United States (Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Approximately $5.63 million of this is restitution (refund of contract payments) and the remainder constitutes civil FCA penalties and interest.

The agreement releases HNFS and Centene from liability under the FCA and related causes of action for the “Covered Conduct” (the 2015–2018 security failures), but it explicitly notes that neither party admitted any actual loss of data or wrongdoing.

Acting Civil Division Assistant Attorney General Brett Shumate warned that companies handling sensitive government data must “meet their contractual obligations” to safeguard it ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Eastern District of California Acting U.S. Attorney Michele Beckwith echoed that failing security obligations “breached [HNFS’s] duty to the people who sacrifice so much in defense of our nation” ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

DCIS Special Agent in Charge Ken DeChellis added that DCIS will continue investigating contractors who “fail to comply with federal cybersecurity requirements” ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

This case is part of a broader Civil Cyber-Fraud Initiative launched by DOJ in 2021, which targets contractors that lie about cybersecurity.

A Recorded Future news report noted that the HNFS settlement “is part of the DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021,” and invokes the FCA (1863 law) to penalize false statements about security (Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News).

DOJ has been active: for example, in 2024 it settled with Guidehouse Inc. for $11.3M over cyber testing failures, fined Penn State $1.25M for HIPAA/cyber lapses, and sued Georgia Tech on a whistleblower complaint (Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News).

Even without whistleblowers, DOJ can bring FCA suits directly, and the new Administrative False Claims Act (AFCA) (effective Dec. 2024) further enables agencies to pursue security lapses on their own ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ).

Notably, this HNFS case involved multiple DoD investigative bodies – DCIS and the Defense Industrial Base Cybersecurity Assessment Center (part of DCMA) – signaling increased scrutiny of contractors’ cybersecurity ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ).

Cybersecurity Issues in Tricare Data

The TRICARE program processes vast amounts of personal health and military data.

Much of this information is HIPAA-protected and some active-duty personnel information is highly sensitive (Cybersecurity Failures Lead to $11M Settlement).

Although DOJ did not allege that HNFS experienced an actual breach, the missing controls put service members’ data at risk.

As the National Law Review commentary observed, “it is taxpayers who footed the bill for fraud and false claims” in this healthcare context (Cybersecurity Failures Lead to $11M Settlement).

Protecting TRICARE’s network is therefore a national-security priority.

In that light, the settlement “reflects the significance of protecting TRICARE” and its beneficiaries from cyber exploitation ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

Lessons and Best Practices for CISOs

CISOs and cybersecurity teams can learn from this case to avoid similar liability:

• Understand and Enforce Contract Requirements.  Carefully review all cybersecurity clauses (e.g. DFARS 252.204-7012, NIST SP 800-171/800-53, HIPAA rules for health data). Map each contractual control to internal policies and ensure there is a process to implement and document it. Use the contract’s System Security Plan (SSP) and certification forms as checklists, and do not certify compliance unless each control is truly in place.

• Accurate Compliance Reporting.  Before submitting any certification or attestation, verify its accuracy. Maintain comprehensive evidence – vulnerability scan results, patch logs, configuration baselines, audit reports, etc. – to support the certification. As DOJ noted, the contract required that “security controls… be implemented correctly”. If gaps are found during self-assessments or audits, update the SSP/Plan of Actions & Milestones (POA&M) and address them before certifying. Never “rubber-stamp” a compliance form without validating all requirements.

• Robust Vulnerability Management.  The HNFS claims centered on failing to scan and patch known vulnerabilities ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice). CISOs should implement continuous vulnerability scanning and formal patch management. This means scheduling regular (e.g. weekly) scans, tracking critical findings, and remediating them within defined windows. For example, if a government contract requires patches within 30 days for high-severity flaws, ensure that workflow is documented and met. Automated tools can help inventory assets, push patches, and log completion.

• Strict Configuration and Asset Control.  Maintain an up-to-date inventory of hardware, software, and network devices. Apply secure configurations (using benchmarks or STIGs) and regularly verify them. The settlement noted shortcomings in “asset management” and “configuration settings” ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice). To avoid this, use configuration management tools and limit unmanaged devices. Retire or isolate end-of-life systems promptly; if they must remain, document compensating controls.

• Strong Access Controls and Password Policies.  Enforce least privilege and multi-factor authentication wherever possible. Regularly review user accounts and permissions – especially for admin or shared accounts. Weak “password policies” were cited as a failure in this case ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice). Implement and monitor controls such as account lockouts, session timeouts, and password complexity requirements. Periodically audit access logs for anomalies.

• Audit Findings Remediation.  Treat internal and external audit reports as immediate priorities. The HNFS case shows the danger of ignoring third-party auditor reports ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice). For every audit finding (penetration test, third-party review, or internal audit), create a tracked remediation plan. Even if a control is not yet fully implemented, document interim measures and timelines. This “feedback loop” among IT security, compliance, and audit teams ensures nothing slips through.

• Cross-Functional Coordination.  Coordinate between security, legal, and contracting departments. CISOs should work with contracting officers and legal counsel to understand reporting obligations. When contracts require certifications, involve compliance or legal teams in the review process. Training programs (for IT and contract staff) can reinforce the importance of accurate reporting.

• Prepare for Government Scrutiny.  The DoD’s DIBCAC may audit contractor networks. Develop a “mock audit” process or pre-assessment to ensure readiness. Document all security measures so that, if investigated, you can show due diligence. Having a mature security posture can mitigate enforcement risk even if issues are found later.

• Stay Current on Cyber Policies.  Be aware of evolving requirements such as CMMC, HIPAA updates, and new executive orders. As King & Spalding notes, the new Administrative FCA (AFCA) gives agencies more power to act on cybersecurity lapses ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ). Update your security program accordingly to meet not only current but anticipated standards.

  
  

By rigorously implementing these best practices, contractors can avoid “false claim” pitfalls.

The HNFS case underscores that knowing non-compliance – even without a breach – can trigger severe penalties.

CISOs should therefore treat contract security clauses as binding mandates, not mere paperwork.

Accurate compliance, continuous monitoring, and prompt remediation are not just good security hygiene – they are also critical legal protections under the FCA.

References

• U.S. Department of Justice, Office of Public Affairs, “Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations,” Feb. 18, 2025 ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice) ( Office of Public Affairs | Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations | United States Department of Justice).

• U.S. Department of Justice, Eastern District of California, Press Release (Feb. 18, 2025) on HNFS settlement (civil FCA case).

• King & Spalding LLP, “Health Headlines – February 24, 2025” (client newsletter) ( Health Headlines – February 24, 2025 - King & Spalding ) (discussing the TRICARE contractor settlement and FCA enforcement).

• King & Spalding LLP, “Client Alert: DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration,” Feb. 2025 ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ) ( DOJ Continues Cybersecurity False Claims Act Enforcement in New Administration - King & Spalding ) (analysis of HNFS case, AFCA, and DoD oversight).

• James Reddick, The Record (Recorded Future News), “Managed healthcare defense contractor to pay $11 million over alleged cyber failings,” Feb. 18, 2025 (Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News) (Managed healthcare defense contractor to pay $11 million over alleged cyber failings | The Record from Recorded Future News).

• Tycko & Zavareei LLP (Nat’l Law Review), “Not Much of a Thank You: TRICARE Contractor Resolves $11M False Claims Act Liability for Known Cybersecurity Violations,” Mar. 14, 2025 (Cybersecurity Failures Lead to $11M Settlement) (Cybersecurity Failures Lead to $11M Settlement) (legal analysis of the case).