After all the negative press that Anthem suffered when reporting a HIPAA breach that affected 80 million customers, one might think they would avoid more bad publicity. But the health insurer is under fire for refusing to let the Office of the Inspector General (OIG) of the Office of Personnel Management (OPM), the agency overseeing the federal employee health benefits program, audit its IT security.
OIG performed a partial audit of Anthem’s IT security in 2013 and gave the company (which was WellPoint Health Networks, before Anthem and WellPoint merged) good marks ... in the parts of the system that Anthem let it see. Auditors were denied access to other parts. The OIG auditors wanted to use the same automated tools they use at other institutions to document configurations of a sample of servers, then manually compare results to the company’s approved baseline.
The company told the auditors that corporate policy prohibited anyone outside Anthem from connecting to the network, according to a September 2013 report by the OIG. “We were initially provided a description of what appeared to be a thorough configuration compliance auditing program at WellPoint,” the report said. “However, when we requested documentation to support this description, WellPoint was unable to provide any evidence that a configuration compliance auditing program had ever been in place at the company.”
Without data to the contrary, OIG determined that Anthem had “not implemented technical controls to prevent rogue devices from connecting to its network” and might have neglected to perform vulnerability scans on several servers with federal employee data. The Anthem servers were hacked within a year. The incident is thought to be largest HIPAA breach by far.
OIG recently reported that it asked Anthem to participate in a vulnerability scan in the summer of 2015 but that Anthem again said no. Anthem has not issued any statements on why it refused the audit. The lack of cooperation looks especially bad after Anthem’s huge breach, says Tim Erlin, security and IT risk strategist at Tripwire, a company in Portland, OR, that assists with cyber security. “Without facts to the contrary, it’s hard not to interpret the motivation behind Anthem’s refusal as an attempt to avoid embarrassment,” Erlin says. “Regardless of the motive, declining an audit from OPM for the second time, following a massive breach, makes headlines. Insurers providing services to federal employees should be subject to security audits by the government, and they shouldn’t have a choice in the matter.”
Anthem also is under criticism from the Senate Health, Education, Labor and Pensions Committee, which accuses the insurer of dragging its feet in informing the 80 million customers affected by the cyberattack. Chairman Lamar Alexander (R-TN) and ranking member Patty Murray (D-WA) claimed recently that 50 million of those affected customers have not been informed. In a letter to Anthem’s chief executive, the senators said they were “concerned with your slow pace of notification and outreach thus far.”
A spokesperson for Anthem points out the company has set up a website and a hotline for affected customers and accelerated mailings. With so many affected customers, the logistics are challenging, he says. At press time, about 2.4 million letters were being mailed daily.
Meanwhile, the lawsuits against Anthem are beginning. A Brunswick, ME, man has filed a $5 million class action suit against Anthem Health Plans of Maine, and he claims that the company failed to adequately protect the personal information of its clients. In a complaint filed in U.S. District Court in Portland, attorney Benjamin Grant wrote on behalf of his client, Brian Mason, that Anthem acted unreasonably by failing to encrypt clients’ confidential information, including Social Security numbers and medical and financial information. In Connecticut, Wilma J. Peterman is seeking an unspecified amount from Anthem for damages and restitution in a lawsuit filed Feb. 20 in U.S. District Court — District of Connecticut. She claims the Anthem data breach could have been prevented and should have been detected earlier.
“There is little doubt victims of the Anthem data breach will suffer significant and persistent financial harm as a result,” attorneys for Peterman wrote in the lawsuit. “This time the hackers got Social Security numbers. For cyber thieves, the Social Security number is the holy grail, providing access to confidential customer information.”
The lawsuit alleges that Anthem was negligent, breached an implied contract, and violated the Connecticut Unfair Trade Practices Act.
