Those Suing Anthem Seek Security Audit DocumentsLawyers in Breach-Related Suit Argue OPM Audit Findings Are Relevant
Plaintiffs suing Anthem Inc. in the wake of a cyberattack that exposed information on nearly 80 million individuals in 2015 want a court to open the door to revealing more of the results of audits of the insurer conducted by the U.S. Office of Personnel Management.
See Also: HIPAA Audits: A Revised Game Plan
An 827-page document recently filed in U.S. district court in Washington by attorneys representing the plaintiffs in the consolidated class action lawsuit against Anthem seeks a court order compelling OPM to produce "a small number of documents" that OPM has identified as relating to a 2013 security audit and a 2015 "follow-on audit" of the insurer's information systems.
OPM's Office of Inspector General performs a variety of audits on health insurers - including Anthem - that provide health plans to federal employees under the Federal Employee Health Benefits Program. The court filing notes that among those affected by the Anthem breach were "millions" of federal employees enrolled in health insurance offered by Anthem affiliates through FEHBP, which is administered by OPM.
The court filing notes that the OPM audit documents pertaining to Anthem, formerly known as Wellpoint, likely contain highly "probative information" related to:
- The state of IT security at WellPoint/Anthem at the time of the 2013 audit and 2015 follow-on audit;
- The insurer's knowledge of IT security vulnerabilities;
- Whether the company failed to undertake measures to appropriately monitor and secure personal information;
- What actions the insurer took to circumvent OPM's efforts to conduct IT security audits.
Such information will assist the plaintiffs in proving their claims against Anthem and other defendants in the breach lawsuit, the filing claims.
About 100 lawsuits against Anthem have been consolidated into one federal class-action case in a California, in which plaintiffs, among other things, are seeking actual and statutory damages and restitution.
Anthem in 2013 refused to allow OMP OIG auditors to conduct a vulnerability test as part of a full security audit of the insurer's systems. OPM had noted that Anthem said its corporate policy prohibited external entities from connecting to the Anthem network. The insurer did, however, allow the watchdog agency to conduct an information systems general and application control audit in 2013.
Among the findings of that more general 2013 audit, OIG found that Anthem, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that [Anthem] has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.
After Anthem revealed the cyberattack in February 2015, OPM OIG requested to conduct a follow-up audit of the health plan's security in the summer of 2015, but the watchdog agency was again met with resistance. OPM OIG, in a March 2015 statement provided to Information Security Media Group, said Anthem had again refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" (see Anthem Refuses Full Security Audit).
However, an OPM OIG spokeswoman on Nov. 3 told ISMG that OPM OIG did indeed conduct a narrow security audit on Anthem in 2015, following the breach. "In 2015 we went back to Anthem to conduct a limited-scope security audit where we performed additional testing. A limited-scope audit is where we intentionally look at only certain items. A scope limitation means that we were unable to conduct all work we intended," she says. "We cannot provide any additional comments due to pending litigation."
The plaintiffs' motion seeks a subpoena for the documents related to the 2015 OPM audit. The court filing also does not indicate the extent of the watchdog agency's 2015 review.
"Plaintiffs' counsel have been informed by the Department of Justice that OPM did conduct a 2015 follow-on audit and that a 2015 draft audit report was provided by OPM to Anthem in the spring of 2016. The 2015 draft audit report is not privileged and plaintiffs' counsel are currently seeking production of the 2015 draft audit report from Anthem," the plaintiff's motion states.
"On October 6, 2016, the DOJ informed plaintiffs' counsel that OPM is currently administratively reviewing the 2015 final audit report to redact any confidential business information provided to OPM by Anthem and that it will be publicly releasing a redacted 2015 final audit report 'shortly.' A 2015 final audit report has not been produced in the litigation by Anthem," the plaintiffs' filing notes.
Although OPM has provided about 150 pages of various audit documents to the plaintiffs, the court filing noted that OPM was "withholding documents for which it asserted privilege and not merely because documents contained confidential information."
The plaintiffs' attorneys, argue, however, that their clients "need for the documents and the compelling interest of millions of Federal Employee Class members and 80 million affected persons is sufficient to overcome the minimal, if any, potential for harm to OPM in light of the protections already in place for the handling and use of such documents."
The court filing also notes: "The very purpose of OPM's IT security audits was ... to protect the [federal class] members from unauthorized disclosure of their personal information and to ensure they are getting state-of-the-art IT security of their personal information. ... Where those audits revealed security flaws that if timely corrected may have thwarted the massive Anthem data breach, it would be a perversion of the system to deny the victims of the data breach access to work done by OPM on their behalf."
As an alternative to OPM segregating and releasing to the plaintiffs the requested documentation related to the IT security audits of Anthem, the plaintiffs ask that OPM should instead submit the documents to the court for review, which would permit a judge to determine whether the documents should be allowed in open court.
Anthem and an attorney representing plaintiffs in the class action lawsuit did not immediately respond to ISMG requests for comment on the case.
But one legal expert argues that the release of documentation related to OPM's security audits of Anthem is a bad idea.
"I would generally be concerned about the release of any kind of audit report like this," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "First, it can create ongoing new security problems by revealing information. Second, any time these kinds of reports - which are designed to improve security activity - end up being used against someone, that creates terrible incentives. It will be bad for both individuals and industry if efforts to review and improve security end up being used after the fact to create problems and liability."
Public disclosure of security audit findings will also potentially "create more reasons for companies to refuse to share this kind of information with other business partners and to refuse to cooperate in efforts to evaluate security, which also creates both business tensions and additional security risks," Nahra says.