Anthem refuses security audit following massive data breach

Things look to be going from bad to worse for Anthem Inc. The health insurer admitted to a data breach last month that compromised the personal information – including names, Social Security numbers, addresses, telephone numbers, email addresses, and employment information – of some 78.8 million people, including up to 18.8 million non-customers.

Now, Anthem has refused to allow an audit of its systems by the Office of Personnel Management’s Office of Inspector General (OIG). This isn’t the first time Anthem has failed to cooperate, either: it also refused to undergo vulnerability scans conducted by the same agency in 2013 as part of an IT security audit.

“What we had attempted to schedule for the summer of 2015 was a sort of ‘partial audit’ – what we call a ‘limited scope audit’ – that would have consisted only of the work we were prevented from conducting in 2013,” an OIG spokeswoman explained to “So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests.”

We know that the breached data was unencrypted, so what could be worse that Anthem is trying to avoid disclosing?

The OIG says: “We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG.”