Subpoena Issued Demanding Release of OPM’s Anthem Audit

Shortly after the announcement of a massive cyberattack on Anthem Inc., – the nation’s second largest insurance company – several class-action lawsuits were filed by victims of the breach.

The cyberattack exposed sensitive members’ data including names, birthdates, and Social Security numbers. In total, around 78.8 million members were affected by the breach.

The lawsuits, which have since been consolidated by the Judicial Panel on Multidistrict Litigation, claim Anthem failed to secure and protect members’ sensitive data which has left the plaintiffs facing an increased risk of fraud that will last a lifetime.

At the time of filing the lawsuits, financial harm had not been suffered, yet now more than a year later many of the members of the class-action have discovered their data have been used for fraud. Identities have been stolen, credit cards have been applied for, notices of fraudulent financial activity have been received, and credit scores have been damaged.

Anthem notified members of the breach of sensitive data and offered credit monitoring and identity theft repair services to affected members for a period of 24 months, although the plaintiffs claim this is insufficient.

Since the breach, Anthem has not disclosed further detail on the cyberattack, such as how the attack occurred. However, the plaintiffs allege that Anthem was aware that the cybersecurity protections it employed were substandard and its defenses against cyberattacks were seriously flawed.

In 2013, the U.S Office of Personnel Management (OPM) conducted an audit of Anthem Inc. The results of that audit detailed several security failures that left Anthem’s computer systems at risk from hackers. The report indicated Anthem did not routinely perform vulnerability scanning to identify potential security risks and there were no controls in place to prevent rogue devices from connecting to its network.

OPM was prevented from conducting a further test on Anthem’s servers to check for out-of-date software, with Anthem denying the agency access claiming it would breach corporate policies.  Following the discovery of the breach, OPM conducted a further security audit; however, the agency will not release the results claiming the information contained in its report is privileged and immune from disclosure.

The plaintiffs have now filed a subpoena demanding the results of that audit are handed over. They claim the audit results show Anthem was aware that its security controls were flawed. According to Modern Healthcare, the court filing reads “Where those audits revealed security flaws that if timely corrected may have thwarted the massive Anthem data breach, it would be a perversion of the system to deny the victims of the data breach access to work done by OPM on their behalf.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.