- HIPAA Update - http://blogs.hcpro.com/hipaa -

Anthem refuses government security audit

security (2) [1]In the wake of the cyberattack that exposed the PHI of nearly 80 million current and former Anthem, Inc., subscribers, the health insurer is refusing to comply with requests for a security audit by the Office of Personnel Management’s (OPM) Inspector General, according to HealthData Management. [2]

Anthem participates in the Federal Employees Health Benefits Program. The program provides health benefits to civilian government employees and annuitants in the U.S. The OPM oversees this program and conducts vulnerability scans and configuration compliance audits of participants’ computer servers. Anthem refused the audit as it is against its corporate policy, HealthData Management reported.

In 2013, the OPM Office of the Inspector General attempted to audit Anthem but the insurer implemented restrictions that prevented auditors from adequately testing the security of Anthem systems. The final 2013 report on Anthem [3] (known as Wellpoint, Inc., at the time) states that the agency was unable to attest that the insurer’s servers were secure.