Anthem Blue Cross and Blue Shield will not allow a federal agency to perform standard tests for vulnerability in the health insurer’s computer systems, even after the company’s report last month that a data breach potentially exposed the personal information of 80 million consumers.
After the hack into Anthem’s data was made public, the federal Office of Personnel Management’s Office of the Inspector Generaltried to schedule an audit of the health insurer’s computer systems for this summer, said Susan Ruge, a spokeswoman for the OIG. Anthem refused, just as it did not permit those tests two years ago. Anthem cited “corporate policy” for the refusal, as it did in 2013, Ruge said.
The tests are meant to ensure that the health insurer has secured its computer information. Numerous other private health insurers have submitted to the tests, Ruge said.
“We do not know why Anthem refuses to cooperate with the OIG,” Ruge wrote in an email.
The health insurer did not respond to a request for comment on Tuesday afternoon.
Anthem is the parent of Empire Blue Cross Blue Shield. The company covers about 129,000 Capital Region residents, including those in Empire Blue Cross, the state’s Empire Plan, or theNYSHIP Empire Blue Cross/Blue Shield HMO.
The OPM inspector general audited Anthem, then known as Wellpoint, in 2013 as part of a routine check of insurers that provide health coverage to federal employees. In a September 2013 audit report, it warned Anthem of vulnerabilities that could open the company up to “malicious virus and hacking activity that could lead to data breaches.”
The company addressed the issues raised by the OIG’s tests. But the inspector general’s office was never able to perform all its usual security checks. Anthem told the OIG that corporate policy prohibited external entities from connecting to its network, according to Ruge.
The OIG then tried to find out about Anthem’s own practices for monitoring these areas of computer security.
“Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers,” Ruge wrote.
The OIG concluded in the audit that it was not able to independently attest that Anthem’s information was secure. Even an OPM change in contract to allow OIG’s auditors access to Anthem’s systems has proved insufficient, Ruge said.
Anthem said last month that a sophisticated cyber attack gained hackers access to names, birthdays, Social Security numbers, street addresses, email addresses, and employment and income data on 80 million consumers. The data include information going back to 2004.
As of Tuesday, the company’s investigation shows no evidence that credit card, banking or confidential health information has been compromised, according to Empire Blue Cross Blue Shield spokeswoman Sally Kweskin.
Members have received emails explaining the breach and will receive letters in coming weeks, she said. Those letters will repeat the information that has been in the news and on the company’s website, Kweskin said.
Receiving a letter is not an indication that the company is aware that a particular member’s information has been accessed, she said. Nor does the absence of a letter signal that a consumer’s information is safe.
Date: March 4, 2015