Plaintiffs in a class-action lawsuit against health insurer Anthem are demanding the federal government turn over documents that allegedly show Anthem knew its information technology security was heavily flawed ahead of its vast data breach last year.
Anthem announced the cyberattack in February 2015. Hackers stole the names, Social Security numbers, birthdays and other personal information of roughly 80 million Anthem and other Blue Cross and Blue Shield members. But few details have emerged in the past 18 months about how the cyberattack occurred, how much the data breach has cost Anthem or how the company has remedied the situation.
The latest legal documents, filed in U.S. District Court for the District of Columbia as part of a consolidated class-action case, involve a subpoena for audit documents created by the U.S. Office of Personnel Management. The OPM manages the Federal Employees Health Benefit Program, and Anthem is an administrator for that program.
The contract between OPM and Anthem gives the federal agency the right to conduct IT security audits, according to the Oct. 25 court filing. The OPM performed such an audit in 2013 and published a final report that highlighted several shortcomings with Anthem's computer systems.
For example, Anthem, then known as WellPoint, did not have controls in place “to prevent rogue devices … from connecting to its networks,” OPM officials wrote in the audit. Anthem also did not routinely perform “vulnerability scanning,” which increased the risk its systems could be hacked.
The OPM audit pointed out that Anthem prevented the agency from conducting a test that would ensure servers are up-to-date and secure. Anthem rejected the OPM's test due to “corporate policy.”
Soon after Anthem disclosed hackers had infiltrated its systems, the OPM told Anthem it wanted to do another audit and again test the security of Anthem's servers, according to the court filing. The OPM consequently sent Anthem a new draft and final audit report this year, but the OPM and Anthem have not provided those documents. The federal government told the plaintiffs this month it would not hand over those new audit results because they are “privileged,” or immune from disclosure.
“Where those audits revealed security flaws that if timely corrected may have thwarted the massive Anthem data breach, it would be a perversion of the system to deny the victims of the data breach access to work done by OPM on their behalf,” the court filing reads.
Anthem declined to comment on the subpoena but noted that “Anthem has never refused an OPM audit.” The OPM did not respond to a request for comment.
Many Anthem members in the class-action suit say they have had their credit scores damaged or received notices of fraudulent financial activity because their identities had been stolen. For instance, one plaintiff, an Anthem member in Connecticut, was notified that someone attempted to open credit cards at Best Buy, Office Depot and Capital One in his name, according to the court filing. Another plaintiff in Georgia found out someone started a fraudulent company using his information.