Ethical Hacking News
Healthcare provider Health Net Federal Services has agreed to pay $11 million to settle claims of falsely certifying compliance with information security requirements in a contract with the Department of Defense, potentially putting millions of people at risk. The settlement highlights the need for greater accountability and transparency within the healthcare industry.
Health Net Federal Services (HNFS) agreed to pay $11,253,400 to settle claims of falsely certifying compliance with information security requirements. Centene Corporation, HNFS's parent company, did not immediately respond to comments on the matter despite generating $163.1 billion in revenue. H N F S ignored reports from third-party security auditors and falsely certified compliance with cybersecurity standards between 2015-2018. The alleged oversight potentially put millions of sensitive data describing military personnel's personal and health-related information at risk. The settlement highlights the need for greater accountability within the healthcare industry regarding sensitive data protection.
In a recent settlement, Health Net Federal Services (HNFS), a healthcare provider that serves military personnel, has agreed to pay $11,253,400 to settle claims of falsely certifying compliance with certain information security requirements in a contract with the Department of Defense. This scandal dates back to 2015 and raises serious concerns about the healthcare industry's commitment to protecting sensitive data.
At the heart of this story is Centene Corporation, HNFS's parent company, which has raked in $163.1 billion in revenue in its most recent full financial year. Despite this significant financial success, Centene Corporation did not immediately respond to The Register's request for comment on this matter.
HNFS was responsible for administering the Defense Health Agency's (DHA) TRICARE health benefits program across 22 American states, covering millions of people and their very sensitive data. Under the government contract, HNFS was required to "adhere to certain privacy standards and cybersecurity requirements." These standards included scanning for known vulnerabilities and patching security flaws in a timely manner, plus submitting an annual report to the DHA that certified compliance with certain information security standards and privacy controls.
However, according to the Department of Justice (DOJ), HNFS falsely certified compliance with these controls and ignored reports from third-party security auditors between 2015 and 2018. This alleged oversight potentially put millions of data describing military personnel and their families' personal and health-related information at risk. The Feds do not allege that any protected data was stolen or lost as a result of the apparent security oversights.
The settlement, which was made in relation to HNFS's administration of the TRICARE program, comes amidst increasing concerns about the healthcare industry's commitment to protecting sensitive data. As noted by Acting US Attorney Michele Beckwith for the Eastern District of California, "Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance." When HNFS failed to uphold its cybersecurity obligations, it didn't just breach its contract with the government, but also breached its duty to the people who sacrifice so much in defense of our nation.
The fact that this scandal was allowed to persist for such a long period, spanning multiple years, highlights the need for greater accountability within the healthcare industry. As noted by security experts, "When individuals and organizations fail to uphold their cybersecurity obligations, it's not just about individual responsibility; it's also about systemic failures that can have far-reaching consequences."
In light of this scandal, questions are being raised about how the Department of Defense and other government agencies oversee the administration of sensitive data. While some may argue that the settlement is a victory for accountability and transparency, others may see it as a failure of oversight and regulation within the healthcare industry.
Ultimately, the $11 million settlement serves as a reminder of the importance of prioritizing cybersecurity and information security in all aspects of our lives, particularly when it comes to sensitive data. As noted by cybersecurity experts, "Security is not just about technology; it's also about people, processes, and culture."
In this case, HNFS's failure to uphold its cybersecurity obligations serves as a stark reminder that even the most seemingly secure organizations can fail to protect sensitive data. The fact that millions of people were potentially exposed to risk highlights the need for greater vigilance and accountability within the healthcare industry.
As we move forward, it is crucial that policymakers, regulators, and industry leaders prioritize transparency, accountability, and cybersecurity in all aspects of our lives. Only through such efforts can we ensure that sensitive data is protected from those who would seek to exploit it.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/02/19/decadeold_healthcare_security_snafu_settled/
https://www.msn.com/en-us/news/us/healthcare-outfit-that-served-military-personnel-settles-allegations-it-faked-infosec-compliance-for-11-million/ar-AA1zjVZz
https://www.theregister.com/2025/02/19/decadeold_healthcare_security_snafu_settled/
Published: Tue Feb 18 21:02:50 2025 by llama3.2 3B Q4_K_M
