Feds blast Health Net for refusing to comply with vulnerability testing

While the insurer complied with the initial rounds of audits, Office of Personnel Management officials said it soon became clear Health Net didn’t intend to fully comply.
By Jessica Davis
08:39 AM
Share
Health Net cybersecurity

HealthNet headquarters in Gold River, California. Credit: Google Maps

Health Net is refusing to cooperate with a request for a flash audit of its vulnerabilities, according to an Officer of Personnel Management Inspector General’s report.

While Health Net complied with an initial round of audit interviews in January, officials said it became obvious the insurer didn’t intend to cooperate with planned testing.

OPM pressed the insurer with further data requests to perform vulnerability testing, but Health Net sent a formal memo that said it wouldn’t provide the required documentation and wouldn’t let the agency conduct testing.

As part of its contract as a member of the Federal Employees Health Benefits Program (FEHBP), Health Net is required to submit to audits at OPM’s request. Calling the unwillingness to cooperate “unprecedented,” the report said the obstruction of the audit puts Health Net in breach of contract.

[Also: The biggest healthcare data breaches of 2018 (so far)]

“Health Net’s actions are in direct violation of the company’s contract with OPM, and also disregard the statutory authority of the OIG,” according to the report. “As a result, we’re unable to attest whether Health Net is acting as a responsible custodian of critically sensitive PHI and PII of FEHBP members.”

However, OPM’s bigger concern is that the agency can’t evaluate the insurer’s vulnerabilities and security configuration management testing.

FEHBP providers, as a whole, don’t segregate program data from commercial or federal customers, so “control weakness on one system poses a threat to all other systems in the same logical and/or physical technical environment,” officials said.

To officials, that makes testing crucial to the integrity of program data, as it can verify the security of the insurance carrier’s technical infrastructure in order to protect FEHBP data.

“We became increasingly concerned that Health Net’s delaying tactics and lack of cooperation regarding our testing would negatively impact not only this audit engagement but also our oversight of other FEHBP carriers and of OPM itself,” officials said.

Health Net already fell victim to a data breach of 1.9 million patient records in 2011 and settled the lawsuit stemming from that breach just two years later. Centene acquired Health Net in 2016.

On Feb. 12, OPM sent Health Net another letter stressing the requirement for the insurer to comply with the audit. This story will be updated when more information becomes available.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com