Federal Health Insurer Denies Auditors Access To Its IT Systems

One of the government’s health benefits providers is refusing to allow the Office of Personnel Management to scan the company’s IT systems, as stipulated in its contract.

Health data is a prime target for hackers, so when OPM’s Office of the Inspector General exercised its right to audit an insurance provider’s IT systems, it meant business. However, the provider, Health Net of California, isn’t happy with the scope of the audit—which includes scanning its entire IT environment—and is refusing to cooperate.

That refusal puts Health Net in breach of contract, according to a Feb. 2 flash audit released by the inspector general.

“Health Net’s actions are in direct violation of the company’s contract with OPM, and also disregard the statutory authority of the OIG,” the audit states. “Of greater concern, however, is that the auditors cannot evaluate Health Net’s IT security controls... As a result, we are unable to attest whether Health Net is acting as a responsible custodian of critically sensitive [protected health information] and [personally identifiable information] of FEHBP members.”

The core of the issue is whether auditors should be allowed to test Health Net’s systems directly or rely on the company’s self-administered scans, according to the inspector general.

Federal auditors first met with Health Net IT officials on Jan. 22 after several months of pre-audit communications. Auditors conducted interviews on that first visit and planned to follow up with systems testing in mid-February.

But before testing day arrived, it became clear to the auditors that Health Net did not intended to comply. Auditors sent 13 separate data requests with due dates spanning between Jan. 22 and Feb. 1 to Health Net officials during the pre-audit talks.

“As of Feb. 6, not a single document had been provided to us,” OIG wrote in the flash alert. “Furthermore, Health Net refused to confirm that it would deliver the requested items or let us perform critical vulnerability and configuration management testing.”

The inspector general’s office expressed these concerns to Health Net in a Feb. 6 memo and asked, point blank, whether the insurer planned to cooperate. Health Net responded on Feb. 7, declining to comply.

If Health Net does not agree to the full audit, the breach of contract could lead to the company being removed as a federal health insurance provider.

“Failure to meet OPM standards for Health Benefits Carriers may be cause for OPM's withdrawal of approval of a health benefits carrier and termination of a contract,” an OPM spokesperson told Nextgov. If that were to occur, federal employees would be given the opportunity to enroll in a different FEHB plan, the spokesperson said.

Health Net has provided some pertinent information, including a limited list of employees and associated user IDs that have access to federally relevant systems. However, OPM’s inspector general wants more, including information on employee access systemwide and the ability to conduct vulnerability scans.

“Although we focus on servers that directly process or store FEHBP data, we judgmentally select other high-risk servers to include in the scope of testing,” the audit states, asserting that a weakness in any part of the system could compromise the whole.

The flash audit notes OPM inspectors general have been conducting these types of vulnerability assessments for more than 10 years across some 70 unique IT environments. In that time, they have never been denied the kind of access being requested.

Further, “Health Net’s refusal to provide complete access and termination lists is unprecedented in our IT audits,” the inspector general wrote.

“The company has offered to provide copies of its own scans limited to the part of the network and servers that directly process FEHBP claims,” an OIG official told Nextgov in an email. “The OIG has rejected that approach many times in the past (not just at Health Net, but at other carriers), because our independently conducted scans have shown that carriers often have inadequate scanning programs. Our scanning tests are designed to uncover those weaknesses in their scanning programs, not just to find system weaknesses (i.e., missing patches).”

Representatives from Health Net did not immediately return requests for comment.

“Health Net’s refusal to allow this standard audit test work as part of our audit leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered,” the flash audit states, adding later, “There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

Editor's Note: This article has been updated to include additional comments from OPM.