Federal watchdog slams Health Net for ‘unprecedented’ refusal to comply with vulnerability testing

Audit with magnifying glass
The inspector general for the Office of Personnel Management says Health Net has refused to comply with vulnerability testing, raising questions about its ability to secure patient data. (Image: Getty/cacaroot)

The watchdog arm of the Office of Personnel Management (OPM) says Health Net has refused to comply with a scheduled audit of its IT systems designed to ensure the insurer has the necessary controls to protect patient information.

Health Net’s refusal to comply with the planned testing is “unprecedented,” according to a flash audit (PDF) released by OPM’s Office of Inspector General. The report states that after an initial round of audit interviews at the end of January, it became clear that the California insurer “did not intend to cooperate with our planned testing.”

Health Net later refused to comply with data requests necessary to perform critical vulnerability and configuration management testing. On Feb. 7, Health Net responded to a formal memo from OIG, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing.

Whitepaper

Key Realities Pushing Healthcare Into a Digital Future

Paper forms, contracts, and documents are the quicksand that bogs down both patient care and provider business. However, that does not have to be the case. Download this whitepaper to learn the three key realities that are pushing healthcare past paper-based processes and into a digital, more streamlined future.

RELATED: Supreme Court denies CareFirst’s petition to review data breach case

“Health Net’s refusal to allow this standard audit test work as part of our audit leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered,” the OIG stated in its report.

OPM's watchdog agnecy performs vulnerability testing for all insurance carriers that participate in the Federal Employees Health Benefits Program (FEHBP), which provides coverage for federal employees, retirees and their families. OIG says it performs the vulnerability scans because internal audits are often “inadequate.” Because most organizations do not segregate FEHBP data from commercial data, OIG audits often include multiple parts of an organization's IT infrastructure that has any crossover with FEHBP data. A control weakness in one system, the agency says, could compromise an otherwise secure server.

Health Net, for its part, says it has complied with the agency’s requests.

“Health Net has fully cooperated in the Office of Personnel Management Office of Inspector General’s audit,” Health Net spokesperson Brad Kieffer said in a statement emailed to FierceHealthcare. “In addition, we have been responsive to the documentation requested and continue to work with both the OPM and the OIG on the remaining requests.”

Kieffer did not respond to follow up questions regarding the details of the OIG report.

"OPM is working with the carrier to ensure that it meets the terms of our contract including cooperation with regard to audits and to ensure that it provides adequate safeguarding of protected health information," a spokesperson told FierceHealthcare. "OPM continually monitors each FEHB Program contract for compliance with contract terms and to ensure prudent business practices."

In 2011, Health Net was hit with a data breach affecting 1.9 million people after the company discovered several computer drives were missing. The insurer settled a class-action lawsuit two years later. In 2016, Health Net was acquired by Centene.

Insurers have been hit particularly hard by data breaches and subsequent litigation. Last year Anthem agreed to pay $115 million to settle a class-action lawsuit stemming from a 2015 breach that exposed information for nearly 80 million members.

Editor's Note: This story has been updated to include a statement from OPM.

Suggested Articles

Specialty drugs made up 1% of prescriptions for employers but accounted for 40% of total drug spending last year, an analysis found.

A collaboration between California payers and providers yielded millions in savings and prevented thousands of unneeded ER visits and admissions. 

Physicians certified by the American Board of Internal Medicine will soon have a new option that takes some of the pain out of MOC.