DOD contractor hit with $11M fine for health data mismanagement
A U.S. military contractor has agreed to an $11.2 million settlement with the U.S. Department of Justice (DOJ) to resolve allegations it lied about certifying compliance with data security standards.
According to the complaint, between 2015 and 2018, Health Net Federal Services failed to meet certain cybersecurity controls and lied about failing to meet federal healthcare data management standards in annual reports sent to the Department of Homeland Security (DHS).
Health Net was contracted by the U.S. Department of Defense (DOD) to administer the Tricare health coverage program, which is reserved for active duty military personnel, retirees, and their families. Given the sensitivity of the associated patient data, Health Net was responsible for ensuring its safety by meeting specific standards and performing security checks.
Per the DOJ, the company failed to identify vulnerabilities in a timely manner and did not properly address data breach risks identified on its network. This included deploying security patches and properly managing access passwords in a manner consistent with federal law.
“Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance,” Acting U.S. Attorney Michele Beckwith for the Eastern District of California, said in a statement. “When Health Net Federal Services failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
The agency also accused Health Net of ignoring “reports from third-party security auditors and its internal audit department” that outlined potential risks of sensitive health data being accessed by unauthorized parties or possibly leaked to hackers.
Issues outlined included firewall settings, access controls, and more. Despite certifying compliance, the DOJ alleges Health Net knew it was in violation of federal law.
The incidents in question occurred under the prior corporate ownership of Health Net; however, the new entity is ultimately responsible for any liabilities. Despite agreeing to the fine, the company disputes some of the allegations. The settlement is not a determination of guilt.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.