Anthem Inc. has refused to allow a federal watchdog to conduct an audit of its IT systems, following a huge data breach last month that could have affected up to 80 million of its customers.
As Government Information Security reports, the health insurer has refused to agree to vulnerability scans and configuration compliance tests offered to health insurers by The Office of Personnel Management's Office of Inspector General (OIG). Anthem also refused security audits by the same agency to be conducted in 2013.
The data breach suffered by Anthem in February was one of the largest corporate cyberattacks to date, but, according to the Financial Times, it might have been avoided had the company agreed to the initial audit request in September 2013. The OIG identified vulnerabilities at the time that could provide a "gateway for malicious virus and hacking activity," but were refused access to conduct a comprehensive audit.
Responding to the recent data breach, OIG said in a statement: "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"
The statement continued: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."
The Financial Times notes that Anthem previously stated giving auditors full access would require turning off its antivirus software, which could in turn cause outages in its IT systems.
As reported by We Live Security last week, it's not just Anthem customers at risk from the recent hack, but also at least 8.8 million customers who signed up to healthcare plans run by independent firms in parts of the country where Anthem does not have a presence.