Centene Dinged on Cyber Failures

By Matt Kelly | February 19, 2025 |

Centene Corp. is paying $11.2 million to settle a lawsuit claiming that poor cybersecurity at one of its subsidiaries qualifies as a violation of the False Claims Act, in yet another example of how cybersecurity risk is worming its way into all parts of corporate compliance.

The subsidiary in question is Health Net Federal Services, which provides healthcare support services to the Defense Department. Health Net had won a government contract in the 2010s to support TriCare (the healthcare system for U.S. soldiers and other uniformed personnel) with referral management, claims processing, and other services across 22 states. As part of that contract, Health Net had to certify its compliance with NIST 800-53, a cybersecurity standard government contractors are supposed to follow to protect sensitive but unclassified data, such as personal healthcare information.

Well, according to the Justice Department and a few other federal regulators, Health Net didn’t adhere to the NIST 800-53 framework, even though it submitted annual compliance certifications from 2015 through 2018. Regulators then sued Health Net under the False Claims Act, alleging that because the company had promised strong cybersecurity controls and then didn’t deliver, it had over-charged Uncle Sam for services delivered.

One interesting point is that, as described in the settlement agreement released Tuesday, it’s not clear that Health Net ever suffered a data breach thanks to the insufficient cybersecurity controls — but then, there didn’t need to be a breach to cause Health Net all this litigation trouble. As the settlement itself said, “The United States alleges that [Health Net]’s claims for reimbursement on the contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.”

Internal auditors and CISOs should write that part down, since it could come in handy when defending audit plans or arguing for more resources to build and test a strong cybersecurity program. If you’re a government contractor, you almost inevitably will need to certify compliance with one of the NIST standards (there are several; the one you need to follow will vary depending on the data you handle), and false certifications alone are enough to drag your business into a civil lawsuit. 

A Lack of Cybersecurity Controls

Exactly what cybersecurity controls did Health Net not implement, you ask? The Justice Department cited several allegations in its settlement:

  • Failing to conduct vulnerability scans in a timely manner and to remedy flaws on the company’s networks and systems according to a system security plan and response times Health Net had previously established;
  • Ignoring reports from third-party security auditors and even Health Net’s own internal audit department about cybersecurity risks related to the company’s network security and IT asset management;
  • Poor management of configuration settings, firewalls, hardware retirement, and software patch management; 
  • Lax password policies. 

centeneNone of these specific issues are new or surprising; Radical Compliance has been writing about them for years. The broader problem for CISOs and internal auditors is that your company needs to develop strong internal mechanisms to get such issues solved in a disciplined, documented manner. That’s how you can demonstrate adherence to a cybersecurity framework you need to follow, and avoid missteps such as making false compliance certifications. 

Lots of GRC vendors out there will say you need some sort of tool to help you adhere to those cybersecurity frameworks. They’re not wrong. These days, large businesses handling lots of confidential data are typically subject to multiple cybersecurity regimes at the same time, with lots of overlap. So you need some way to…

  • Identify the specific regulatory requirements for your firm; 
  • Map out where those requirements do and don’t overlap; 
  • Perform a gap analysis to see whether your existing controls meet those requirements: and 
  • Assign, enforce, and document any remediation work that needs to be done. 

You won’t do that well with spreadsheets; actually my bet is you’ll do that pretty terribly with spreadsheets. It’s not my place to recommend specific vendors, but I will say that this settlement reminds us yet again that the more cybersecurity and data privacy become a core competency for all businesses, the more GRC technology needs to be part of your technology stack

A Note on Compliance Improvements

Typically settlements like this include a discussion of compliance or security program improvements the company in question agrees to undertake. We don’t have any discussion of that here. 

One can only speculate about why that is. It’s possible that Health Net’s parent company Centene doesn’t need to undertake any new cybersecurity measures, because the non-compliance in question happened six years ago and Centene is a large, sophisticated company with plenty of audit and security capabilities already.

The cynic in me, however, wonders whether the Trump Administration wants to move away from insisting on deep, long-lasting reforms at a company accused of misconduct; in favor of wrapping up matters quickly by agreeing to a monetary penalty for prior misconduct and calling it a day. (Centene itself had no public statement on the settlement, but then again, the company also makes more than $160 billion in revenue annually; an $11 million settlement for one subsidiary is chump change.)

Regardless, the case is a useful reminder to internal auditors and CISOs that cybersecurity continues to march up the ladder of corporate risks. You’ll need good GRC capabilities to grapple with that, no matter what. 

Posted in News and tagged ,

Leave a Comment

You must be logged in to post a comment.