Even after suffering a massive cyberattack in February, Indianapolis-based Anthem refuses to allow a federal agency to conduct vulnerability scans on its IT systems, according to GovInfoSecurity.
The Office of Personnel Management's Office of Inspector General asked to schedule an audit for summer 2015 of "standard vulnerability scans and configuration compliance tests" of Anthem's IT systems, but Anthem said no, according to the report.
This is the second time Anthem has refused such scans. In 2013, Anthem also did not allow the OIG to conduct the vulnerability tests, according to the report.
"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' — what we call a 'limited scope audit' — that would have consisted only of the work we were prevented from conducting in 2013," said an OIG spokeswoman in the report.
The OPM's OIG conducts audits on payers providing health plans to federal employees under the Federal Employee Health Benefits Program, but payers are not required to cooperate with the audits. However, amendments are sometimes made to payers' federal contracts to require full audits, and the OIG is currently seeking such an amendment to Anthem's FEHBP contract, according to the report.
Anthem allegedly cited "corporate policy" as the reason for denying the security audits, according to the report.
More articles on the Anthem breach:
Montana joins state coalition investigating Anthem breach
China linked to Anthem cyberattack
Anthem hit with another class-action lawsuit over data hack