A military health-benefits contractor and its parent agreed to pay $11.2 million in 2025 to resolve allegations they falsely certified compliance with cybersecurity requirements under TRICARE contracts. The case was one of the largest cybersecurity FCA settlements in DOJ's Civil Cyber-Fraud Initiative pipeline. Coverage from Mintz.
The certification trap
TRICARE contractors handle protected health information (PHI) for service members and dependents. The contracts incorporate cybersecurity controls that contractors certify they meet. The settlement underscores DOJ's standard theory: false certifications submitted to the government are FCA-actionable even when no breach occurs — the misrepresentation itself is the violation.
Healthcare federal contractors — pay attention
- HIPAA + cybersecurity contract clauses overlap but don't substitute for one another
- FedRAMP-required services must hold authorizations at the contracted impact level — gaps are FCA exposure
- Subcontractor downstream certifications are part of your FCA risk surface
What to do
- Map every cybersecurity attestation against the actual control implementation — close gaps before recompete
- Disclose proactively under DOJ's voluntary self-disclosure framework when warranted
- Embed quarterly third-party audits to keep certifications honest