Anthem Refusing Security Audit Following Breach

Anthem has refused to undergo vulnerability scans and configuration compliance tests in the aftermath of a breach that may have leaked the personal information of nearly 100,000 customers and non-customers.

UPDATED–Anthem has refused to undergo vulnerability scans and configuration compliance tests in the aftermath of a breach that may have ultimately leaked the personal information of nearly 100 million customers and non-customers.

The health insurance giant reportedly turned down an audit of its systems from the Office of Personnel Management’s Office of Inspector General (OIG). The OIG office at the Office of Personnel Management performs audits at health insurance carriers that provide benefits to federal employees.

According to a statement from the OPM’s OIG provided to GovInfoSecurity.com the watchdog group contacted Anthem recently to propose a “partial audit” of the company’s systems this summer. The audit, something it calls a “partial scope” audit, would have entailed work that the group was going to do in 2013 before the company refused that audit as well.

“We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” the OIG wrote in a statement, “We do not know why Anthem refuses to cooperate with the OIG.”

According to the OPM OIG’s statement, the only reason Anthem would cite when asked why it was declining an audit was “corporate policy.”

Email inquiries to Anthem were not immediately returned on Thursday.

Last week Anthem announced that between 8.8 and 18.8 million additional individuals – Blue Cross Blue Shield customers that may have used their insurance in states that Anthem operates – may also be implicated by February’s breach.

That figure is in addition to the 78.8 million customer records the company confirmed last week were accessed in the breach initially.

This story was corrected on March 6 to reflect the fact that is was the Office of Personnel Management’s OIG, and not the OIG at Health and Human Services, that attempted the audits.

Suggested articles

Discussion

  • Robert.Walter on

    Such a company, especially after having demonstrated it's lack of secure systems, should be excluded from programs that involve government payments.
  • todd on

    I think you meant 100,000,000 (million) not thousands.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.