Anthem, the country’s second-largest health insurer has refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to conduct vulnerability scans on its IT systems after recently suffering a data breach affecting 78.8M individuals, according to GovInfoSecurity. Anthem previously refused an audit from vulnerability tests from OIG back in 2013.
“What we had attempted to schedule for the summer of 2015 was a sort of ‘partial audit’ – what we call a ‘limited scope audit’ – that would have consisted only of the work we were prevented from conducting in 2013,” said an OIG spokeswoman in a statement. “So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests.”
OPM’s OIG conducts a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers are not mandated to cooperate with security audits; however, amendments are made to insurers’ federal contracts to specifically require the full audits.
Anthem allegedly cited “corporate policy” as the reason for refusing to cooperate with the OIG. Anthem did not respond to ISMG’s request for comment.