Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anthem Blocking Federal Auditor From Doing Vulnerability Scans

Posted by samzenpus on from the suspicious-behavior dept.

chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.

4 of 116 comments (clear)

  1. There's a diff between "Blocking" and "Refusing" by jddj · · Score: 3, Interesting

    If they can actually block the scans, that'd be... well...more secure than their track record indicates.

  2. Anthem is a publicly traded company by hamjudo · · Score: 5, Interesting
    Anthem is traded on the NYSE under the symbol WLP.

    They should be required to file an 8K form to legally inform all of their stock holders that they have material news that may adversely affect their future stock price, or even company viability.

    After having been informed of extreme security issues on our network, Anthem Inc has elected to ignore the situation. Furthermore, Anthem Inc's network is so embarrassing, that Anthem Inc has decided to risk significant fines and legal expenses, rather than allow adults to see just how bad it is.

    Translation, shareholder lawsuits may be addressed to Joseph R. Swedish, et al.

  3. Re:The industry needs more regulation by bouldin · · Score: 3, Interesting

    This will definitely provide fodder for all the class action lawsuits that are in the works.

    I wonder just how reckless a business has to be with their security before they risk charges of criminal negligence.

  4. Re:Anthem is normal here by Anonymous Coward · · Score: 2, Interesting

    I work for a large multinational in the human capital management space and we let a select number our customers do penetration testing. Our customers range from Fortune 500 to government agencies in the US and EU. It is not an unheard of practice, and I would argue it is quite common for these requests to come up, especially during contract negotiations.