A March 2014 audit of application controls over Premera Blue Cross' information systems found weaknesses in the payer's network security controls.
The Office of the Inspector General of the United States Office of Personnel Management conducted the audit on the Mountlake Terrace, Wash.-based payer, which earlier this week announced a cyberattack that compromised the data of 11 million customers, employees and business affiliates.
According to the OIG's audit, Premera had no issues with its security management program, but "Premera's data center did not contain controls we typically observe at similar facilities, such as multi-factor authentication and piggybacking prevention."
The audit indicates Premera installed multi-factor authentication after the OIG issued the draft report, but at time of publication of the final report, the payer had not yet implemented piggybacking prevention.
Additionally, the audit found shortcomings in Premera's network security controls, baseline configuration management, contingency planning and claims application controls.
According to a Seattle Times report, Premera received the audit findings April 18, three weeks before the payer suffered the cyberattack on May 5. Additionally, Premera did not respond to the audit findings until June 30, saying it had implemented a few changes with plans to implement others by the end of the year, according to the report.
However, Premera does not believe the audit findings are linked to the attack.
"We believe the questions OPM raised in their routine audit are separate from this sophisticated cyberattack," said Eric Earling, Premera spokesman, in the report.
More articles on cybersecurity:
Trinity Health selects Leidos for cybersecurity services
Senate cybersecurity bill stalled in White House amidst concerns of consumer spying
Healthcare organizations have 'minimal' understanding of cybersecurity threats, study finds