back to article US watchdog: Anthem snubbed our security audits before and after enormous hack attack

A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant's computer security – but was rebuffed. And, after miscreants looted Anthem's servers and accessed up to 88.8 million private records, the watchdog again offered to audit …

  1. Anonymous Coward
    Anonymous Coward

    Insurance companies don't pay attention to anything but money. So unless the hacker threatens to cancel his policy, he'll go unnoticed.

    Also, I cannot name any names, but I might know 2 big names that don't even know how to contact their own IT security, because they don't know where they're located! It's just a bunch of "No", "I don't know" and "Sorry" with insurance companies, like cash sucking vacuums let off the wire.

    True story, no shit. Back in the Y2K days you could walk around these places randomly. For instance, if there was an attractive woman working in a certain department, you could just plop down next to her and talk. If a manager would come up to you and ask where you're from and what you are doing, you could just say "I'm on the COBOL Y2K thing.". When they told you to get back to your department, you could say "I'm already there" and they would just look at you a little apologetic and say "Sorry." walking away. NOBODY KNEW!

    1. Eric Olson

      Funny story, but many insurers do these days. The HIPAA law actually does make insurers both responsible for and liable for data breaches when it concerns Protected Individual Information and Protected Health Information, the latter bringing steeper fines and cease-and-desist notices when you screw up.

      More importantly, those that deal with the federal government often are held to standards that probably would result in most clients being laughed out of the building. This is even more true when it's dealing with Medicare or veteran's benefits. I'm not saying that other insurers would pass a typical pen test, but the fact Anthem outright refused to cooperate with an audit that other providers of benefits for the federal government submitted to speaks volumes about the company's attitude towards security.

      Frankly, the sooner that such breaches result in massive financial loss and wholesale bankruptcy of a company or corporation, the better. Teach the survivors a lesson on why spending money on security is actually important. Until a company is run out on a rail, it will get lip service, then buried under dozens of other projects which of an ROI that can be measured in profits or potential daily fines (the only thing I ever saw get the attention of those writing CBAs for compliance work).

      1. Doctor Syntax Silver badge

        "Frankly, the sooner that such breaches result in massive financial loss and wholesale bankruptcy of a company or corporation, the better."

        Whilst I agree with the sentiment if this were to happen to an insurance company it would leave a lot of innocent customers without the insurance cover they'd paid for. Massive financial loss & wholesale bankruptcy of the senior management team and board of directors would be perfectly acceptable, however.

        1. Mad Chaz

          Private entities SHOULD BE ALLOWED TO FAIL. No private sector compagny should ever be considered too big to fail. As for the clients, if the insurance corp goes under, they can get it elsewhere. And if it goes under, it means it had no fucking idea how to "asses risk". Bit of the bread and butter of insurance companies, you would think.

        2. Eric Olson

          It depends on the arraignment. For many large employers who offer insurance, they actually just hire an insurance company to pay claims and curate a provider network. It's called self-insured and usually has other provisions like stop-loss insurance and things like that. The assets themselves (premiums from the paycheck and a set-aside by the company) are placed in a trust that is legally separate from the company. So if the company goes down, those assets are not up for grabs by creditors. How it's handled... I'm not sure. Never been part of that, though I assume that as long as the company is being restructured, they still have to use the trust to pay claims.

          But in that case, the large employer just had a Third-Party Administrator expose your employees (or more importantly, the VIPs of the company like the CEO and executives), meaning that you should be able to sue that TPAs pants off for breach of contract as well as take your business to a (hopefully) less porous TPA, resulting in only minimal disruption to your employees (really, the VIPs) health care.

          It would likely hurt those who are fully insured (group-rate insurance) because the bankruptcy would likely result in a suspension of service. However in those cases, what would likely happen is that it would a restructure, not liquidation... and it would result in many debt-holders (like providers who submitted claims as part of their contract) getting only a percentage of the amount due. Health care then wouldn't stop either, and many of the group rate insurance and individual insurance groups would go to another insurer.

    2. WatAWorld

      It is policy holders that should cancel, not the hackers.

      @mybackdoor It is policy holders that should cancel their policies to exert monetary pressure, not the hackers.

  2. Blofeld's Cat
    Facepalm

    Hmm...

    "We do not know why Anthem refuses to cooperate"

    "Never attribute to malice that which is adequately explained by stupidity." - Hanlon's razor

  3. Compression Artifact

    Anthem has told me personally and announced publicly that any unexpected phone calls received from someone claiming to be Anthem are fake.

    I got one of these calls about five hours ago and hung up on them. I did a web search on the phone number that appeared in the caller ID. It was that of some unrelated business--probably spoofed. I've been getting these occasionally over the last year. This one was a different style and had a human on the other end instead of a robot. And the earlier calls were not as obviously spoofed.

  4. Sebastian A
    Paris Hilton

    Of course they declined.

    As they say, ignorance is bliss. Why would you let anyone tell you what the problems are when you can stick your fingers in your ears and remain in a state of perpetual euphoria?

    Of course, Paris is the obvious choice.

  5. Anonymous Coward
    Anonymous Coward

    Regulations that can't be enforced don't help to regulate much.

  6. Mephistro

    Easy peasy!

    1) - Put on hold all federal payments to Anthem until the audit is complete.

    2) - Give them an ultimatum to allow the audits or have all their contracts terminated. No more than two weeks, please.

    ...

    4) - See how they bend over faster than a mousetrap. Profit !!!

    1. MrDamage Silver badge

      Re: Easy peasy!

      Not to mention the govt can also demand a refund for all the payments made from the time that the initial audit was offered, up until they agree to the audit.

    2. Kevin McMurtrie Silver badge

      Re: Easy peasy!

      Insurance companies and the US government are both experts at fee manipulation. I picture both of them gathering greasy, vile, monocle-wearing lawyers and financiers into a dark room, deep underground, around a ancient and worn wooden table to plan the next attack.

  7. Notas Badoff
    WTF?

    Proof of government stupidity!

    Oh wait, no it isn't.

    It _is_ proof that unexamined private business can be more stupid than is suspected of the government. That a business that won't explain its processes must be assumed to be hiding Hanlon's razor up its butt. As if the banking snarguffage wasn't a good enough demonstration.

    1. Voland's right hand Silver badge

      Re: Proof of government stupidity!

      It is a proof of government stupidity.

      They did not cancel any VA and Federal employee cover there and then. As they should have for non-compliance.

  8. WatAWorld

    Why does US OPM use suppliers that don't meet standard requirements ?

    Anthem is obviously motivated by money, like most of the rest of us. Why let them save money by saving the effort of cooperating with OIG audits?

    Why does the OPM give Anthem a commercial advantage? Why the favoritism?

    And why does the OPM not remove Anthem from its list of suppliers in order to use the money lever to motivate it to accept a standard OIG audit?

    Why is the US OPM sending money to an uncooperative supplier that won't allow the standard auditing of US suppliers?

    But setting the precedent that the mandatory audit is optional, the US Office of Personnel Management is making the audit optional for all suppliers.

    This could result in corporate standards at other organizations forcing the to refuse to be audited too.

    The fault in this, as far as government personnel breaches, is 90% US OPM and its failure to remove a supplier after the supplier failed to meet OIG standards.

    Anthem is responsible for the breaches that lost other data.

    Those who have a choice should stop doing business with them.

    If you have a choice and don't stop doing business with a company that can't meet relatively simple security requirements, then its partly your own fault.

    (Note: Nobody has been able to make a bullet-proof general purpose full function PC operating system. So using Windows after Windows breaches is not the same thing. There are alternatives, but those alternatives are not secure either.)

  9. earl grey
    Flame

    there's really a very simple fix

    Start with the board of directors and the top 3 levels of management and throw all their asses in chokey until the audit gets done.

    Then once the audit is done, figure out the fines that will be coming out of those management levels pockets (not the business per se) and extract the fines with due diligence and extreme prejudice.

  10. DryBones
    Mushroom

    Sounds to me like the OIG needs to call in the FTC and the FBI. This needs to go from "data breach" to "criminal negligence", and " disbarment from government contracts " fast.

  11. This post has been deleted by its author

  12. DubyaG

    There is another way.

    Simple, lay a subpoena on them and bring big guys with lots of handcuffs. Problem solved.

  13. Senshi

    "Anthem participates in the US Federal Employees Health Benefits Program, which requires regular audits from the OIG, audits that Anthem allegedly thwarted. Other health insurers submit to Uncle Sam's audits "without incident"

    So, where's the punishment for Anthem? Are they 'too big to fail?'

    If regular audits are required, then hold them to it, or remove them from the Federal Employees Health Benefits Program.

  14. Joe User
    Facepalm

    Access by "external entities"

    According to OIG, Anthem declined to allow auditors to connect to its network, citing a corporate policy against allowing external entities to access its computer systems.

    Oh, the irony....

  15. Henry Wertz 1 Gold badge

    Yeah...

    Yeah... saying they don't allow required federal security audits for security reasons seems pretty ludicrous. I am curious about the state of IT there... obviously flawed given these hacks, but was it fairly close to compliant (or even compliant to the extent that it'd pass the audit tests), or was it a real disaster area? (Or somewhere in between?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like