US healthcare org pays $11M settlement over alleged cybersecurity lapses

Successfully being Win Federal Services (HNFS) and its guardian firm, Centene Company, enjoy agreed to pay $11,253,400 to resolve allegations that HNFS falsely licensed compliance with cybersecurity necessities below its Protection Successfully being Agency (DHA) TRICARE contract.

The U.S. authorities shriveled HNFS to offer managed healthcare toughen companies and products for TRICARE’s North field, retaining 22 states.

The contract required compliance with cybersecurity requirements, particularly 48 C.F.R. § 252.204-7012 and 51 security controls from NIST Particular Newsletter 800-Fifty three (Safety and Privateness Controls for Federal Knowledge Systems and Organizations).

In accordance with a U.S. Department of Justice announcement, between 2015 and 2018, HNFS allegedly failed to place into effect the most essential cybersecurity measures while administering health advantages for American militia carrier participants and their families.

At the identical time, the DOJ claims HNFS falsely licensed compliance in their experiences to the DHA, making it appear as in the event that they adequately safeguarded folks’s records, even though they did not.

Namely, HNFS has failed to clutch the following measures:

• Scan for n-day vulnerabilities in its systems and observe fixes in a successfully timed manner.
• Withhold in recommendations the findings of auditing experiences highlighting cybersecurity dangers and clutch motion to remediate them.
• Put into effect commerce-traditional belongings administration, earn admission to controls, firewall protections, and patch administration.
• Steer sure of the usage of outdated hardware and machine.
• Command solid myth password insurance policies.

Within the settlement settlement doc, the U.S. impart explains that HNFS falsely attested compliance on no longer lower than three situations: on November 17, 2015, on February 26, 2016, and on February 24, 2017.

HNFS and Centene jabber all allegations and relief that no records breaches or lack of servicemember knowledge came about. On the opposite hand, they aloof agreed to pay $11,253,400 to resolve the allegations.

The nice doc clarifies that the settlement does no longer offer protection to HNFS and Centene from criminal liability if further evidence, administrative penalties, or civil actions emerge in some unspecified time in the future.