The head of the Office of Personnel Management says the agency plans to issue new rules to health insurance companies that provide coverage for federal employees for reporting cybersecurity incidents.
Acting OPM Director Beth Cobert announced the move during a speech Thursday at the annual Federal Employees Health Benefits Program conference.
Last year, both OPM and one of the biggest insurers in the FEHBP program -- Anthem Inc. -- were breached, purportedly by the same band of Chinese state-backed hackers.
“Whether it was the intrusions we suffered at OPM or the breaches at so many other insurers and health care providers, we must work together to keep the information entrusted to us secure,” Cobert said in the speech.
In September, OPM established an IT security working with the FEHBP insurance companies, Cobert said. The group’s goal is to ensure companies’ security practices “are complete, sufficient and uniform when it comes to reporting data breaches,” Cobert said. “And that going forward, carrier practices are aligned with best practices in IT.”
OPM cybersecurity adviser Clifton Triplett, who joined the agency in November as part of the response to the massive agency hack, has been working with the companies as part of the group, Cobert said. OPM is also consulting with the departments of Health and Human Services and Homeland Security.
The OPM hack, disclosed last June, affected nearly 22 million federal employees, contractors, retirees and prospective employees. Hackers, believed to be Chinese cyberspies, breached OPM systems that stored sensitive background investigation data, which included names, addresses, employment history and even fingerprint records.
Anthem announced in February 2015 that an unknown number federal employees who receive coverage through Blue Cross Blue Shield had their personal information stolen by hackers.
Cybersecurity experts later linked the two breaches to the same China-backed hackers.
In August, the White House issued draft guidelines seeking to standardize contractors’ reporting of cyberincidents affecting federal data stored on third-party systems.