Insurance provider Anthem has reportedly refused to let the US Office of Personnel Management’s Office of Inspector General (OIG) perform a full security audit of its systems, in the wake of a massive data breach that potentially affected 70 million Americans.
According to an anonymous spokesperson, the company first refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" both last summer and in 2013—so the refusals aren’t directly linked to the breach.
"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' —what we call a 'limited scope audit'—that would have consisted only of the work we were prevented from conducting in 2013," the OIG spokeswoman said. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."
Anthem has hired Mandiant to investigate the breach, and said that it is working with the FBI. It noted when the breach happened that “attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
The lack of cooperation with OIG, though it is not a new phenomenon, is perhaps unsurprising given the circumstances. “Lack of evidence is not evidence of something lacking, and all Anthem’s refusal of the Office of Personnel Management’s Office of Inspector General (OIG) audit creates is a lack of evidence,” said Jonathan Sander, strategy and research officer for STEALTHbits Technologies, in an email. “If I were Anthem, perhaps the last thing I would want while I’m trying to rush to fix the issues revealed by their breach is to have to host strangers who will further tax my staff and create more meetings when I need action.”
Yet, in the wake of such a large incursion, the decision seems to reflect a negative image. “I think the story stands by itself,” said Philip Lieberman, president at Lieberman Software, in a comment to Infosecurity. “The breach at Anthem speaks to the leadership of Anthem and their perspective on the safety and well-being of their customers.”
He added, “As with most failed security scenarios, the core problem is not technology, but is in fact a lack of leadership and culture. The refusal to allow the OIG to scan their systems should have been a warning flag that OIG should have publicly published as a public service to Anthem customers. My hope would be that the executive branch will modify the rules of engagement for the OIG so as to allow them to make these failures to comply a matter of public record, so that citizens could protect themselves.”