A federal class action lawsuit filed by at least 100 victims of a data breach involving Anthem Blue Cross of California may have consequences that will change how the healthcare industry is regulated. If the plaintiffs win, you’ll likely see a sea-change in how organizations work with or obstruct regulators. If Anthem wins, it’ll fundamentally change how organizations conduct security audits.
A Case of Mistaken Security
Plaintiffs suing Anthem Inc. following a cyberattack that exposed the personally-identifiable information of nearly 80 million individuals in 2015 want a court to open the door to revealing more of the results of audits of the insurer conducted by the U.S. Office of Personnel Management (OPM). About 100 lawsuits against Anthem have been consolidated into one federal class-action case in a California, in which plaintiffs, among other things, are seeking actual and statutory damages and restitution.
An 827-page document recently filed in U.S. district court in Washington D.C. by attorneys representing the plaintiffs in the consolidated class action lawsuit against Anthem seeks a court order compelling OPM to produce “a small number of documents” that OPM has identified as relating to a 2013 security audit and a 2015 “follow-on audit” of the insurer’s information systems.
OPM’s Office of Inspector General routinely performs a variety of audits on health insurers – including Anthem – that provide health plans to federal employees under the Federal Employee Health Benefits Program. The court filing notes that among those affected by the Anthem breach were “millions” of federal employees enrolled in health insurance offered by Anthem affiliates through FEHB, which is administered by OPM.
The court filing notes that the OPM audit documents pertaining to Anthem, formerly known as Wellpoint, likely contain highly “probative information” related to:
- The state of IT security at WellPoint/Anthem at the time of the 2013 audit and 2015 follow-on audit;
- The insurer’s knowledge of IT security vulnerabilities;
- Whether the company failed to undertake measures to appropriately monitor and secure personal information;
- What actions the insurer took to circumvent OPM’s efforts to conduct IT security audits.
A History of Audit Requests
In 2013, Anthem refused to allow OPM OIG auditors to conduct a vulnerability test as part of a full security audit of the insurer’s systems. OPM had noted that Anthem said its corporate policy prohibited external entities from connecting to the Anthem network. The insurer did, however, allow the watchdog agency to conduct an information systems general and application control audit in 2013.
Among the findings of that more general 2013 audit, OIG found that Anthem, “has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that [Anthem] has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees,” says the OIG audit report released in September 2013.
After Anthem revealed the cyberattack in February 2015, OPM OIG requested to conduct a follow-up audit of the health plan’s security in the summer of 2015, but the watchdog agency was again met with resistance. OPM OIG, in a March 2015 statement provided to Information Security Media Group, said Anthem had again refused to allow the agency to perform “standard vulnerability scans and configuration compliance tests”.
You can read more about the case on DataBreachToday.com, which provides more details. We’ll be watching the outcome and will report on it in a future post.
Get a Security Evaluation Now
Spade Technology is a qualified IT services leader who can get your computer network safer and more secure from cyber threat, breach, or attack. If you are concerned about the state of your IT security, along with potential compliance violations, give us a call at (508) 339-5163 or email us at firstname.lastname@example.org immediately for an in-depth consultation or for more information.