Health Net Refused to Adhere with Security Audit: OPM

by | Mar 9, 2018

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has released a Flash Audit Alert claiming Health Net of California has refused to adhere with a recent security audit.

Health Net supplies benefits to federal workers, and under its contract with OPM, is required to comply with audits. OPM has been carrying out security audits on FEHBP insurance carriers for the last 10 years, which includes scanning for weaknesses that could possibly be exploited to gain access to the PHI of FEHBP subscribers.

When OPM carries out audits, it is focused on the information systems that are used to access or hold the data of Federal Employee Health Benefit Program (FEHBP) subscribers. However, OPM points to the fact that many insurance providers do not segregate the data of FEHBP subscriber from the data of commercial and other Federal clients. Audits of technical infrastructure need to be completed on all parts of the system that have a logical or physical nexus with FEHBP data. Due to this, systems storing data other than that of FEHBP members will also be assessed for weaknesses.

In its Flash Audit Alert released, OPM said Health Net refused to permit OPM to conduct vulnerability and configuration management testing and documentation was not supplied that would allow OPM to test whether Health Net was able to switch off information system access for contractors who no longer needed data access and for terminated staff.

By refusing to cooperate, OPM could not determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP subscribers.

Health Net maintains that it has been cooperating with OPM and permitted the agency to complete the audit, although the insurance carrier spoke with its external counsel and was advised that if it cooperated fully with OPMs requests and agreed to certain parts of the audit process, it would risk breaching contracts with other third parties. Health Net has obligations to those third parties to ensure their data is secure.

Health Net believes that it has – and will – be able to meet the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ information. Health Net also alleges that the claims made in the OPM report are with basis.

They said: “We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers.

“There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this point in time it is not evident what, if any, action OPM will take against Health Net if the company will not comply with its audit requests completely.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy