Dive Brief:
- A federal agency reports that Anthem Inc. refused to agree to a standard vulnerability scan following its extensive data breach, and that the insurer had also refused the scan in 2013.
- The Office of Personnel Management's Office of Inspector General requested to perform the IT security testing this summer and was denied for the second time.
- "What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit'—what we call a 'limited scope audit'—that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman told Information Security Media Group. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."
Dive Insight:
The OIG routinely performs voluntary security audits of health insurers utilized under the Federal Employee Health Benefits Program (FEHBP), but does not require it under their standard contract.
However, the OIG spokeswoman told ISMG that occasionally, contract amendments are written to require the full audits, and the OIG is now attempting to get such an amendment for Anthem's FEHBP contract.
The OIG said in their statement to ISMG that after Anthem's breach, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"
In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."