The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government. This news is coming out after Anthem was hacked of some 88 million customer records.
The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.
OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.
I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis. If we told them to go away, they would have told us to go away as well.
It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances. It is the difference between private industry and government.
OPM wrote a report on Wellpoint (now Anthem) that said, in part:
Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.
Given this report, it is totally unimaginable that, in private industry, they would have been allowed to continue as a supplier.
After the breach, OPM again tried to audit Anthem and they again said no.
And, they continue to collect checks from the government.
This should be interesting fodder for the lawsuit machine.