Listen to this article
Anthem was warned by the US government about weaknesses in its computer security defences almost two years before hackers broke into the second-largest US health insurer’s database and stole personal information belonging to nearly 80m people.
The US Office of Personnel Management’s inspector general found vulnerabilities that could provide a “gateway for malicious virus and hacking activity that could lead to data breaches”, according to a September 2013 audit report.
The insurer, which serves one in nine Americans, disclosed in February that it had suffered one of the largest corporate cyber attacks to date when hackers obtained data of current and former customers and employees, including social security numbers. These are a particularly lucrative cache for potential fraudsters: they are key identifiers that Americans use to file tax returns and apply for credit cards.
Anthem’s apparent failure to fully build up its cyber defences after the 2013 audit reflects how companies often underestimate their vulnerabilities to cyber attacks. It could also provide ammunition for lawyers seeking to sue Anthem over the breach.
The health insurer then and now has denied OPM auditors full access to its network to review its cyber security, a spokeswoman for the inspector general’s office said last week. The inspector general, which acts as a watchdog for OPM, cautioned that it still could not confirm that Anthem’s servers were secure.
The 2013 audit report came two months after Anthem, a health provider for federal employees that was then known as WellPoint, had to pay a $1.7m fine after it “impermissibly disclosed” electronic records — including social security numbers — of more than 610,000 patients. The settlement with the US Department of Health and Human Services stemmed from a data breach in October 2009 to March 2010. WellPoint did not admit wrongdoing.
The latest revelations about Anthem raise questions about whether the health insurer did enough to address multiple warnings and whether OPM pressed hard enough for action.
The 2013 audit found that Anthem had not implemented controls preventing rogue devices from connecting to its network. Also, several servers containing federal government employees’ information were not routinely scanned for vulnerabilities. Auditors could not find evidence that they had ever been reviewed.
“Failure to implement a thorough configuration compliance auditing program increases the risk that insecurely configured servers remain undetected, creating a potential gateway for malicious virus and hacking activity that could lead to data breaches,” the 2013 audit said.
Anthem told the Financial Times it believed it had addressed “the vast majority” of the recommendations in the 2013 report to OPM’s satisfaction and would work to resolve any outstanding recommendations or concerns.
An OPM spokesperson said Anthem had addressed the 10 recommendations in the audit report. The inspector general’s office said they still lacked access to do a thorough review of Anthem’s security.
The inspector general, known as OIG, brought up its concerns with the OPM, which has amended its contract with Anthem to allow auditors some access, the OIG spokeswoman said. Still, she said, “This provision has proven to be insufficient.”
“We are currently working with OPM to further amend the contract,” she said, adding that another audit had been scheduled for this summer.
OIG said Anthem had told them that it was denying access because of a policy that prohibited external entities from connecting to its network. Anthem recently reiterated that auditors would not be permitted to conduct vulnerability scans.
Anthem said giving the auditors full access would have required turning off its antivirus software and could have caused outages in its system. Anthem provided an alternate vulnerability management programme as a substitute.
OIG said other health carriers had opened up their systems to inspectors. “We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident,” the OIG spokeswoman said. “We do not know why Anthem refuses to co-operate with the OIG.”
The 2013 audit said, given the access that auditors had, Anthem had implemented “a thorough incident response and network security program” but inspectors could not “attest that [the insurer’s] computer servers maintain a secure configuration.” The audit found that technical controls were lacking to prevent access “by rogue devices”, including laptops not issued or approved by the company.
In written replies to the audit then, Anthem said it believed the risks were mitigated by on-site control and training. Anthem said it required authentication for all applications in its network and no direct wireless connectivity was allowed.
The insurer added that its focus was “on protecting data”.
“We continually monitor security exposures and have built layers of defence to protect data, and will continue to implement programs that have been proven effective,” it said in response to the 2013 audit.
Additional reporting by Hannah Kuchler