DOJ Settles $11M False Claims Act Case with Health Net
In February, the Department of Justice announced a settlement with Health Net Federal Services (HNFS) for over $11 million to resolve False Claims Act allegations that the company falsely certified they were in compliance with cybersecurity requirements for a contract with the Department of Defense (DOD) to administer the DOD’s Defense Health Agency’s (DHA) TRICARE, a health benefits program for servicemembers and their families.
According to the settlement agreement, between 2015 and 2018, HNFS allegedly failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA. The Department of Justice (DOJ) alleged that HNFS failed to timely scan for known vulnerabilities and to resolve security flaws on its networks and systems, in accordance with the System Security Plan and in the proper response times HNFS had established. DOJ also alleged HNFS disregarded reports from security auditors and its internal audit department of potential cybersecurity risks and systems related to asset management, access controls, installing critical security updates to counter known threats, and other security violations.
HNFS’s Cybersecurity Obligations Under the DOD Contract
HNFS was obligated under its DOD contract to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including security controls listed in the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems.
Notably, there was no allegation in this case of exfiltration or loss of protected health information or servicemember data. Making knowingly false statements about adherence to material government contract specifications violates the False Claims Act, regardless of whether a data breach has occurred.
Importance of Cybersecurity Compliance in Government Contracts
“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” said Acting U.S. Attorney Michele Beckwith for the Eastern District of California. “When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service said, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”
Phillips & Cohen Protects Cybersecurity Whistleblowers
Whistleblowers will be instrumental in uncovering False Claims Act violations related to failing to meet the government’s cybersecurity requirements in government contracts or programs. If you know of cybersecurity violations and would like to speak to a whistleblower attorney, contact Phillips & Cohen for a confidential review of your case.