Health Net Refused to Adhere with Security Audit: OPM

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has released a Flash Audit Alert claiming Health Net of California has refused to adhere with a recent security audit.

Health Net supplies benefits to federal workers, and under its contract with OPM, is required to comply with audits. OPM has been carrying out security audits on FEHBP insurance carriers for the last 10 years, which includes scanning for weaknesses that could possibly be exploited to gain access to the PHI of FEHBP subscribers.

When OPM carries out audits, it is focused on the information systems that are used to access or hold the data of Federal Employee Health Benefit Program (FEHBP) subscribers. However, OPM points to the fact that many insurance providers do not segregate the data of FEHBP subscriber from the data of commercial and other Federal clients. Audits of technical infrastructure need to be completed on all parts of the system that have a logical or physical nexus with FEHBP data. Due to this, systems storing data other than that of FEHBP members will also be assessed for weaknesses.

In its Flash Audit Alert released, OPM said Health Net refused to permit OPM to conduct vulnerability and configuration management testing and documentation was not supplied that would allow OPM to test whether Health Net was able to switch off information system access for contractors who no longer needed data access and for terminated staff.

By refusing to cooperate, OPM could not determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP subscribers.

Health Net maintains that it has been cooperating with OPM and permitted the agency to complete the audit, although the insurance carrier spoke with its external counsel and was advised that if it cooperated fully with OPMs requests and agreed to certain parts of the audit process, it would risk breaching contracts with other third parties. Health Net has obligations to those third parties to ensure their data is secure.

Health Net believes that it has – and will – be able to meet the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ information. Health Net also alleges that the claims made in the OPM report are with basis.

They said: “We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers.

“There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this point in time it is not evident what, if any, action OPM will take against Health Net if the company will not comply with its audit requests completely.