FORENSIC LEGIBILITY EXAMINER

CASE 104|CONTROLLED ACCESS & AUTHORIZATION|2025-02-18|DISPOSITION: ANNUAL CYBERSECURITY COMPLIANCE CERTIFICATIONS SUBMITTED TO CONTRACTING AUTHORITY WHILE INTERNAL AND THIRD-PARTY AUDITS HAD FLAGGED UNREMEDIATED DEFICIENCIES; ACCESS TO SENSITIVE MILITARY HEALTH DATA MAINTAINED AGAINST A KNOWN DEFICIENT SECURITY POSTURE|ARCHIVE →

The Annual Report Said Compliant.

Health Net Federal Services held a contract with the Department of Defense to administer TRICARE — the health benefits program for military servicemembers and their families — across 22 states. The contract required annual certification of compliance with specific cybersecurity controls. HNFS submitted those certifications. Its own internal audits and third-party assessors had identified deficiencies that HNFS had not remediated. The certification said the controls were implemented correctly and operating as intended. The internal record said otherwise. Access to sensitive military health data — including personal and health information for active duty personnel — was maintained against a compliance posture that had been flagged as deficient by the entity responsible for it. The credential said authorized. The access condition said otherwise.

Failure classification: Annual Cybersecurity Compliance Certifications Submitted to Contracting Authority While Internal and Third-Party Assessments Had Identified Unremediated Deficiencies; Access to Military Health Records Maintained Against Known Deficient Security Posture

Contractor:

Health Net Federal Services, LLC (HNFS), Rancho Cordova, California; subsidiary of Centene Corporation, St. Louis

Program:

TRICARE health benefits program; administered by HNFS under contract with the U.S. Department of Defense, Defense Health Agency; coverage for military servicemembers and their families in 22 states

Contract period at issue:

2015 through 2018; annual compliance certifications submitted to DHA under the A-110 NIST Certification of Compliance requirement

Standards required:

51 security controls under NIST Special Publication 800-53; DFARS clause 252.204-7012; System Security Plan requirements established by HNFS itself

Alleged conduct:

Failure to timely scan for known vulnerabilities; failure to remediate security flaws within response times defined in HNFS's own System Security Plan; false annual certifications submitted to DHA affirming compliance

Internal record:

Internal audits and third-party security assessors had identified deficiencies and made recommendations; HNFS did not implement those recommendations

Settlement:

$11,253,400; resolved under the False Claims Act; Department of Justice announcement February 18, 2025; no allegation of data breach or loss of servicemember data

Parent liability:

Centene Corporation assumed HNFS liabilities upon acquisition of Health Net Inc. in 2016; named as co-settling party

Context

TRICARE is the Department of Defense's health benefits program, covering medical, dental, and pharmacy services for active duty military personnel, veterans, and their families. Because TRICARE enrollees include active duty servicemembers, the program's records contain not only HIPAA-protected health information but potentially sensitive location and operational data. HNFS held a contract with the Defense Health Agency to administer TRICARE across 22 states, providing information management and information technology support for the program.

The HNFS contract required compliance with 51 security controls specified in NIST SP 800-53, implementation of DFARS cybersecurity requirements, and annual submission of an A-110 NIST Certification of Compliance affirming that the required controls were implemented correctly, operating as intended, and supporting DHA's security policies. HNFS was also required to maintain a System Security Plan defining its own vulnerability response timelines. The annual certification was the mechanism by which DHA received assurance that the access HNFS held to TRICARE systems and data corresponded to a security posture meeting defined requirements.

Trigger

Between 2015 and 2018, HNFS submitted annual certifications affirming compliance with the required cybersecurity controls. The Department of Justice alleged that those certifications were false. HNFS had failed to timely scan its networks and systems for known vulnerabilities and had not remediated security flaws within the response times defined in its own System Security Plan. Critically, internal audits and third-party security assessors had identified these deficiencies and made recommendations. HNFS did not implement them. The certification that DHA received each year said the controls were in place and operating as intended. HNFS's own internal record said they were not.

The DOJ announced the $11,253,400 settlement on February 18, 2025. There was no allegation that a data breach had occurred or that servicemember data had been lost or exfiltrated. The False Claims Act liability arose not from harm that had been realized but from the knowing submission of false compliance certifications as a condition of continued contract performance. The government did not need to show that HNFS's deficient security posture had produced a specific incident. It needed to show that the certification was false and material to the government's decision to continue the contract.

Failure Condition

The annual A-110 certification functioned as an access credential. It asserted, on a recurring basis, that HNFS's security posture met the requirements under which its access to TRICARE systems and data was authorized. DHA relied on the certification. It had no independent mechanism to evaluate whether the certified posture corresponded to actual controls at the point of reliance. The certification was the instrument. HNFS's internal security state was not evaluable by DHA through the certification itself.

The structural condition this case documents is the same one present across the catalog in different institutional contexts: a credential that encodes an assertion without encoding the evidentiary boundary between what was asserted and what was actually verified. HNFS's own auditors and third-party assessors had evaluated the actual security posture. Their findings were not encoded in the credential submitted to DHA. The gap between what the certification asserted and what the internal record showed was not required to appear. It was not evaluable by the relying party at the point of reliance.

The settlement established that no data breach is required to demonstrate credential authority failure in this context. The credential was material to the government's access decision. When the credential was false, the access it authorized was not grounded in the security posture it represented. The access condition — a contractor security posture meeting defined requirements — was not present. The credential said it was.

Observed Response

The Department of Justice settled the matter for $11,253,400 under the False Claims Act, with both HNFS and Centene Corporation as settling parties. The investigation was initiated by the government without a qui tam relator, indicating the DOJ identified the potential violation through its own enforcement activity rather than a whistleblower filing. HNFS denied the allegations and stated that no breach or loss of servicemember data had occurred. The settlement resolved the matter without a determination of liability. Both HNFS and Centene's participation in the settlement extended liability to the parent corporation for conduct that predated Centene's 2016 acquisition of Health Net Inc.

Analytical Findings

HNFS submitted annual certifications affirming compliance with 51 NIST 800-53 security controls while its own internal audits and third-party assessors had identified deficiencies that HNFS had not remediated
The annual A-110 certification was the mechanism by which DHA received assurance that HNFS's access to TRICARE systems and data was grounded in a compliant security posture; DHA had no independent verification channel to evaluate whether the assertion corresponded to actual controls
HNFS failed to scan for known vulnerabilities within required timeframes and failed to remediate security flaws within response times defined in its own System Security Plan — a standard HNFS itself had established
The gap between what the certification asserted and what the internal security record showed was not encoded in the credential and was not evaluable by the relying party at the point of reliance
No data breach or loss of servicemember data was alleged; False Claims Act liability arose from the knowing submission of false compliance certifications as a condition of continued contract performance
The DOJ initiated the investigation without a qui tam relator, indicating government-initiated enforcement rather than whistleblower-driven discovery
Centene Corporation assumed liability for HNFS's conduct through the 2016 acquisition of Health Net Inc., establishing that successor entities inherit credential authority failures that predate the acquisition

References

1. U.S. Department of Justice, Office of Public Affairs. "Health Net Federal Services, LLC and Centene Corporation Agree to Pay Over $11 Million to Resolve False Claims Act Liability for Cybersecurity Violations." February 18, 2025.
2. NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations; 51 controls specified in HNFS TRICARE contract.
3. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
4. Foley & Lardner LLP, "The More Things Change… DOJ's Latest Cyber Settlement Shows Continued False Claims Act Risk," March 2025.
5. Arnold & Porter, "DOJ Notches Second $11 Million Cyber FCA Settlement," FCA Qui Notes, March 2025.