[BreachExchange] Those Suing Anthem Seek Security Audit Documents

[Audrey McNeil]

http://www.databreachtoday.com/those-suing-anthem-seek-
security-audit-documents-a-9498

Plaintiffs suing Anthem Inc. in the wake of a cyberattack that exposed
information on nearly 80 million individuals in 2015 want a court to open
the door to revealing more of the results of audits of the insurer
conducted by the U.S. Office of Personnel Management.

An 827-page document recently filed in U.S. district court in Washington by
attorneys representing the plaintiffs in the consolidated class action
lawsuit against Anthem seeks a court order compelling OPM to produce "a
small number of documents" that OPM has identified as relating to a 2013
security audit and a 2015 "follow-on audit" of the insurer's information
systems.

OPM's Office of Inspector General performs a variety of audits on health
insurers - including Anthem - that provide health plans to federal
employees under the Federal Employee Health Benefits Program. The court
filing notes that among those affected by the Anthem breach were "millions"
of federal employees enrolled in health insurance offered by Anthem
affiliates through FEHBP, which is administered by OPM.

The court filing notes that the OPM audit documents pertaining to Anthem,
formerly known as Wellpoint, likely contain highly "probative information"
related to:

The state of IT security at WellPoint/Anthem at the time of the 2013 audit
and 2015 follow-on audit;
The insurer's knowledge of IT security vulnerabilities;
Whether the company failed to undertake measures to appropriately monitor
and secure personal information;
What actions the insurer took to circumvent OPM's efforts to conduct IT
security audits.

Such information will assist the plaintiffs in proving their claims against
Anthem and other defendants in the breach lawsuit, the filing claims.

About 100 lawsuits against Anthem have been consolidated into one federal
class-action case in a California, in which plaintiffs, among other things,
are seeking actual and statutory damages and restitution.

Audit Requests

Anthem in 2013 refused to allow OMP OIG auditors to conduct a vulnerability
test as part of a full security audit of the insurer's systems. OPM had
noted that Anthem said its corporate policy prohibited external entities
from connecting to the Anthem network. The insurer did, however, allow the
watchdog agency to conduct an information systems general and application
control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem,
"has established a series of IT policies and procedures to create an
awareness of IT security at the plan. We also verified that [Anthem] has
adequate human resources policies related to the security aspects of
hiring, training, transferring, and terminating employees," according to
the OIG audit report released in September 2013.

After Anthem revealed the cyberattack in February 2015, OPM OIG requested
to conduct a follow-up audit of the health plan's security in the summer of
2015, but the watchdog agency was again met with resistance. OPM OIG, in a
March 2015 statement provided to Information Security Media Group, said
Anthem had again refused to allow the agency to perform "standard
vulnerability scans and configuration compliance tests" (see Anthem Refuses
Full Security Audit).

However, an OPM OIG spokeswoman on Nov. 3 told ISMG that OPM OIG did indeed
conduct a narrow security audit on Anthem in 2015, following the breach.
"In 2015 we went back to Anthem to conduct a limited-scope security audit
where we performed additional testing. A limited-scope audit is where we
intentionally look at only certain items. A scope limitation means that we
were unable to conduct all work we intended," she says. "We cannot provide
any additional comments due to pending litigation."

The plaintiffs' motion seeks a subpoena for the documents related to the
2015 OPM audit. The court filing also does not indicate the extent of the
watchdog agency's 2015 review.

"Plaintiffs' counsel have been informed by the Department of Justice that
OPM did conduct a 2015 follow-on audit and that a 2015 draft audit report
was provided by OPM to Anthem in the spring 2016. The 2015 draft audit
report is not privileged and plaintiffs' counsel are currently seeking
production of the 2015 draft audit report from Anthem," the plaintiff's
motion states.

"On October 6, 2016, the DOJ informed plaintiffs' counsel that OPM is
currently administratively reviewing the 2015 final audit report to redact
any confidential businessinformation provided to OPM by Anthem and that it
will be publicly releasing a redacted 2015 final audit report 'shortly.' A
2015 final audit report has not been produced in the litigation by Anthem,"
the plaintiffs' filing notes.

Privileged Information?

Although OPM has provided about 150 pages of various audit documents to the
plaintiffs, the court filing noted that OPM was "withholding documents for
which it asserted privilege and not merely because documents contained
confidential information."

The plaintiffs' attorneys, argue, however, that their clients "need for the
documents and the compelling interest of millions of Federal Employee Class
members and 80 million affected persons is sufficient to overcome the
minimal, if any, potential for harm to OPM in light of the protections
already in place for the handling and use of such documents."

The court filing also notes: "The very purpose of OPM's IT security audits
was ... to protect the [federal class] members from unauthorized disclosure
of their personal information and to ensure they are getting
state-of-the-art IT security of their personal information. ... Where those
audits revealed security flaws that if timely corrected may have thwarted
the massive Anthem data breach, it would be a perversion of the system to
deny the victims of the data breach access to work done by OPM on their
behalf."

As an alternative to OPM segregating and releasing to the plaintiffs the
requested documentation related to the IT security audits of Anthem, the
plaintiffs ask that OPM should instead submit the documents to the court
for review, which would permit a judge to determine whether the documents
should be allowed in open court.

Anthem and an attorney representing plaintiffs in the class action lawsuit
did not immediately respond to ISMG requests for comment on the case.

Bad Idea?

But one legal expert argues that the release of documentation related to
OPM's security audits of Anthem is a bad idea.

"I would generally be concerned about the release of any kind of audit
report like this," says privacy attorney Kirk Nahra of the law firm Wiley
Rein LLP. "First, it can create ongoing new security problems by revealing
information. Second, any time these kinds of reports - which are designed
to improve security activity - end up being used against someone - that
creates terrible incentives. It will be bad for both individuals and
industry if efforts to review and improve security end up being used after
the fact to create problems and liability."

Public disclosure of security audit findings will also potentially "create
more reasons for companies to refuse to share this kind of information with
other business partners and to refuse to cooperate in efforts to evaluate
security, which also creates both business tensions and additional security
risks," Nahra says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161103/14f02d21/attachment.html>