/>iFebruary 2025 saw an important False Claims Act settlement involving allegations of known cybersecurity failures by Health Net Federal Services Inc. (HNFS), a government contractor that provides TRICARE healthcare management services to active duty military members and their families. HNFS as well as its parent corporation Centene agreed to pay just over $11 million to resolve alleged false claims submitted to the U.S. Department of Defense.
While American values dictate that we thank service members for their role in protecting our freedoms, this government contractor instead chose to submit false claims in order to keep up their deal with the Department of Defense. Ultimately, it was taxpayers who footed the bill for fraud and false claims with government contractors. Taxpayers should never pay for shoddy services, especially not when it comes to healthcare and protecting personal and sensitive data relating to military members and their families.
The Allegations Against Health Net Federal Services, LLC and Centene Corporation
According to the DOJ, parent corporation Centene and its subsidiary Health Net Federal Services (HNFS) failed to meet these minimum cybersecurity protocols between the period of 2015 and 2018 while providing data management services to the U.S. Department of Defense through its administration of TRICARE. HNFS may have exposed U.S. service members’ personal and health data, as well as that of their families, due to failing to scan for known vulnerabilities and patching known security flaws. The networks and systems maintained by HNFS during this three year period were reported by third party security auditors as well as the company’s own internal audit department for being inadequate in terms of:
- Asset management
- Access controls
- Flawed configuration settings
- Weak firewalls or lack of firewalls in use
- End-of-life hardware and software in place
- Lack of patch management
- Vulnerability scanning
- Shoddy password policies
HFNS not only allegedly failed to install updates from vendors that would have countered known threats; they also allegedly falsely certified compliance with annual reports to DHA in order to keep their government contract with TRICARE. In order to resolve these allegations, the company Centene Corporation, which acquired all shares of HFNS as well as its liabilities, has agreed to pay $11,253,400. The matter was resolved in collaboration with the U.S. Department of Justice Civil Division’s Commercial Litigation Branch (Fraud Section) and the U.S. Attorney’s Office for the Eastern District of California, as well as with assistance from the DoD Office of Inspector General, the DCIS, Cyber Field Office Western Region, the Inspector General’s Office of Audits, Cyberspace Operations Directorate, and the DoD’s Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center.
What Is TRICARE?
TRICARE is a federal health insurance program administered by the U.S. Department of Defense and its contracts. TRICARE provides healthcare coverage to qualifying members of the U.S. military and their families, including:
- Active duty service members and their families
- National Guard and Reserve members and families
- Medal of Honor recipients and their families
- Survivors
- Children
- Former spouses
TRICARE is similar to Medicare in that it is a primary health insurance provider funded by taxpayer dollars and administered by a federal agency. While Medicare covers older Americans ages 65 and up, TRICARE provides medical, dental, and pharmacy coverage for U.S. military members, veterans, and family members. Because of this, TRICARE also maintains personal and sensitive data for military members, including some confidential location information for active duty personnel. Like all health data, TRICARE records include HIPAA-protected information and other confidential information, which can be exposed to data breaches by criminal hackers and contractors who do not take their cybersecurity obligations seriously. TRICARE breaches are especially troubling because they can lead to the unlawful dissemination of protected information that compromises individual health privacy and potentially national security.
Federal Healthcare Programs Are Vulnerable to Cybersecurity Breaches
Acting U.S. Attorney Michele Beckwith for the Eastern District of California spoke about the HNFS settlement, saying “Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance. When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Both healthcare and defense spending for government contracts are two of the most at-risk areas for fraud, waste, and abuse. Taxpayers lose billions of dollars every year to government contractors and healthcare organizations that take advantage of federal healthcare programs like Medicare, Medicaid, and TRICARE, with an estimated 10% of program expenses at risk. Meanwhile, the Government Accountability Office reports that the U.S. Department of Defense is particularly vulnerable to false or fraudulent claims involving overbilling, billing for work never performed or services not rendered to beneficiaries, fraudulent bid submissions, non-competitive bids, the provisions of substandard parts or services, and the failure to disclose data breaches and other cybersecurity risks.
How Whistleblowers Can Protect Americans Through the False Claims Act
Under the U.S. Department of Justice’s Civil Cyber Fraud Initiative, private companies that contract with the federal government are obligated to uphold certain minimum cybersecurity standards. When they fail to do so, or falsely certify compliance with cybersecurity requirements, they can be held accountable under the False Claims Act for treble damages and penalties to the federal government. Through a qui tam lawsuit, whistleblowers who report on these kinds of violations can also receive a percentage of the government’s total recovery. These percentages can range from 10% to 30% of the final settlement. The False Claims Act imposes treble damages upon violators, as well as individual penalties for each false claims of up to $13,946 to $27,894 per violation. The law also allows whistleblowers (known as relators) who meet certain eligibility requirements and are the first to report cybersecurity fraud, government contractor fraud including DOD fraud, or healthcare fraud a reward for their inside information.
Whistleblowers can come from all walks of life and may include current or former employees of any potential defendant such as employees of government contractors, health care entities, or any regulated company, non-employees (examiners, competitors, clients, customers, auditors, reviewers, consultants, industry experts), anyone with evidence and knowledge of fraud involving government money. As long as you come forward willingly and in a timely manner you may be able to bring a qui tam case with the help of a qui tam lawyer and recover a reward. There are also additional protections for employees, including cybersecurity professionals, who speak up. These may include:
- The option to initially report anonymously through a qui tam law firm
- A federal right of action to sue for reinstatement if you are fired from your company as a result of your protected disclosure
- Up to double back pay with interest from the period during which you were demoted, suspended, or let go
- Possible front pay, in cases where reinstatement is not possible
- Additional damages and attorneys’ fees.
