Anthem refuses comprehensive IT security audit after the breach
Recently breached US health insurer Anthem has refused to let The Office of Personnel Management’s Office of Inspector General (OIG) perform a full security audit of its systems, and this is not the first time this happened, reports GovInfoSecurity.
The company also refused to allow the federal watchdog agency scan their systems for vulnerabilities and misconfigurations back in September 2013. Citing “corporate policy” as the reason and fearing outages because they would have to turn off its antivirus software for the agency to perform the testing, Anthem passed on the offer (as is their right to do, apparently).
They did, however, allow the OIG to conduct a general testing of its information systems, as well as an application control audit in 2013.
It is possible that a full audit would have uncovered issues that might have been exploited to mount the successful attack in 2014, but it’s impossible to tell.
The OIG says that they “have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” and that they don’t know why Anthem refused to cooperate in this matter.
The Anthem breach is one of the largest healthcare breaches to date, and affected 78.8 million individuals, between 8.8 million to 18.8 million of which are not Anthem customers.