Federal watchdog slams Health Net for ‘unprecedented’ refusal to comply with vulnerability testing

The watchdog arm of the Office of Personnel Management (OPM) says Health Net has refused to comply with a scheduled audit of its IT systems designed to ensure the insurer has the necessary controls to protect patient information.

Health Net’s refusal to comply with the planned testing is “unprecedented,” according to a flash audit (PDF) released by OPM’s Office of Inspector General. The report states that after an initial round of audit interviews at the end of January, it became clear that the California insurer “did not intend to cooperate with our planned testing.”

Health Net later refused to comply with data requests necessary to perform critical vulnerability and configuration management testing. On Feb. 7, Health Net responded to a formal memo from OIG, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing.

RELATED: Supreme Court denies CareFirst’s petition to review data breach case

“Health Net’s refusal to allow this standard audit test work as part of our audit leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered,” the OIG stated in its report.

OPM's watchdog agnecy performs vulnerability testing for all insurance carriers that participate in the Federal Employees Health Benefits Program (FEHBP), which provides coverage for federal employees, retirees and their families. OIG says it performs the vulnerability scans because internal audits are often “inadequate.” Because most organizations do not segregate FEHBP data from commercial data, OIG audits often include multiple parts of an organization's IT infrastructure that has any crossover with FEHBP data. A control weakness in one system, the agency says, could compromise an otherwise secure server.

Health Net, for its part, says it has complied with the agency’s requests.

“Health Net has fully cooperated in the Office of Personnel Management Office of Inspector General’s audit,” Health Net spokesperson Brad Kieffer said in a statement emailed to FierceHealthcare. “In addition, we have been responsive to the documentation requested and continue to work with both the OPM and the OIG on the remaining requests.”

Kieffer did not respond to follow up questions regarding the details of the OIG report.

"OPM is working with the carrier to ensure that it meets the terms of our contract including cooperation with regard to audits and to ensure that it provides adequate safeguarding of protected health information," a spokesperson told FierceHealthcare. "OPM continually monitors each FEHB Program contract for compliance with contract terms and to ensure prudent business practices."

In 2011, Health Net was hit with a data breach affecting 1.9 million people after the company discovered several computer drives were missing. The insurer settled a class-action lawsuit two years later. In 2016, Health Net was acquired by Centene.

Insurers have been hit particularly hard by data breaches and subsequent litigation. Last year Anthem agreed to pay $115 million to settle a class-action lawsuit stemming from a 2015 breach that exposed information for nearly 80 million members.

Editor's Note: This story has been updated to include a statement from OPM.