DOJ Notches Second $11 Million Cyber FCA Settlement

In the latest salvo in its ongoing Civil Cyber Fraud Initiative, the U.S. Department of Justice (DOJ) recently announced a settlement of over $11 million with Health Net Federal Services Inc. (HNFS) and its parent company Centene Corporation. This, and an $11.3 million settlement last year with Guidehouse and Nan McKay related to their alleged failure to safeguard information submitted by New York residents seeking federally funded emergency rental assistance during the COVID-19 pandemic, are the two largest settlements under the initiative to date.

The settlement with HNFS addresses allegations that HNFS falsely represented compliance with cybersecurity requirements related to its contract to administer Tricare benefits, the civilian health insurance program for members of the military. For years, HNFS had held a contract with the U.S. Department of Defense to manage Tricare in 22 states. Among its obligations under the contract was to comply with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, and to implement 51 security controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. HNFS’ Tricare contract additionally required HNSF to submit an annual report certifying compliance with certain NIST 800-53 security controls. DOJ alleges that, despite certifying its compliance with these provisions, HNFS was not in fact adhering to them. DOJ alleged three types of noncompliance: (1) failing to scan for, and remediate, security vulnerabilities; (2) ignoring reports from third-party auditors and its internal audit department regarding risks in its system; and (3) falsely representing compliance with certain NIST SP 800-53 controls despite not implementing those controls. HNFS denied the allegations.

As we noted at the beginning of this year, DOJ enforcement under the initiative has been coming at an increasing pace recently, and this recent settlement continues that trend. It also provides some indication that cyber False Claims Act (FCA) enforcement will remain a priority for the new administration. Like some other recent settlements, the HNFS settlement demonstrates that alleged cybersecurity compliance issues need not be central to the services provided nor headline-grabbing in order to pose cyber FCA risk. Here, there was no allegation of a data breach or cybersecurity failure. Instead, the settlement is largely premised on allegations of failures to perform day-to-day cybersecurity compliance functions, such as scanning for vulnerabilities and implementing consultants’ suggestions. This settlement also demonstrates that even where a contractor is performing services that may not at first glance have a cyber component — here, administering a government health-insurance program — that contractor still faces FCA risk for potential noncompliance with cybersecurity obligations.

We here at Qui Notes will continue to monitor the latest developments under the initiative.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.