Health Net Federal Services (HNFS) and its parent company Centene Corporation have agreed to pay over $11.25 million to resolve False Claims Act allegations related to cybersecurity compliance failures in a Department of Defense contract. The allegations concerned false certifications of compliance with cybersecurity requirements in HNFS’s contract to administer the TRICARE health benefits program for military service members and their families. This is the ninth cyberfraud FCA settlement in less than four years, since the DOJ launched its Civil Cyber-Fraud Initiative (CCFI). This settlement further cements cybersecurity compliance as a DOJ enforcement priority and underscores its commitment to using the False Claims Act against contractors who fail to meet their cybersecurity obligations.

FCA Enforcement of Cybersecurity Compliance is on the Rise

Prior to the CCFI, there were only two known cybersecurity FCA cases—the Cisco case, which was filed in 2011 and settled in 2019 for $8.6 million, and the Aerojet case, which was filed in 2015, became public in 2017, and settled for $9 million in 2022 (after the launch of the CCFI). Since the launch, DOJ settled five cybersecurity FCA cases in 2024 alone, plus four more in 2023 and 2022. Including the HFNS settlement, ten cybersecurity FCA cases have recovered nearly $50 million for the government:

Prior to the HNFS settlement, the largest recoveries came from whistleblower-initiated (aka qui tam) lawsuits—in the Guidehouse/Nan McKay, Aerojet, and Cisco cases.

The HNFS Settlement

According to DOJ, HNFS failed to follow its own System Security Plan and the response times it established for timely scanning for known vulnerabilities and remedying security flaws on its networks and systems. These alleged System Security Plan misrepresentations may sound familiar to those following the SEC’s litigation against SolarWinds: the SEC’s remaining claim against SolarWinds similarly alleges misstatements in the company’s Security Statement.

The government also alleged HNFS ignored cybersecurity risks flagged by both third-party auditors and its internal audit department.  Unfortunately, this is not uncommon in corporate environments. Whistleblower James Glenn was similarly ignored and then fired for flagging alleged cybersecurity vulnerabilities at Cisco. Another cybersecurity whistleblower, Andrew Harris, tried and failed to get Microsoft to address critical security vulnerabilities in its cloud infrastructure before the SolarWinds hack. These failures to heed internal reporting put us all at risk and is increasingly exposing companies that look the other way to liability under the FCA or securities laws.

We all benefit when companies implement robust whistleblower response systems. These systems should include dedicated reporting channels, cross-disciplinary review teams (to prevent information silos), clear timelines for investigating reported vulnerabilities, and transparent communication with internal reporters. Most critically, companies must prevent retaliation against internal reporters. By treating internal and external security warnings as valuable intelligence rather than unwelcome disruptions, organizations can address vulnerabilities before they escalate into enforcement actions or, more devastatingly, infiltrations that compromise the confidentiality, integrity, and availability of sensitive data.