Health Net Refuses Security Audit Says OPM OIG

Health Net California, a provider of government employees’ benefits, has been marked as not willing to undergo security audits as per the Flash Audit Alert released by the U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG).

Over the past 10 years OPM has been assigned to perform security audits on Federal Employee Health Benefit Program (FEHBP) insurance companies. OPM is to examine areas that are vulnerable to and can possibly be a way for illegal and unauthorized access to the PHI of FEHBP members. As OPM’s partner, Health Net is contractually expected to go through these audits.

When OPM performs audits, it is concerned with the information systems utilized to access or save the data of FEHBP members. But OPM remarks that lots of insurance carriers don’t separate the records of FEHBP members from the records of business and other Federal clients. Audits of technical facilities must be carried out on all parts of the system which have a physical or logical nexus with FEHBP records. As a result, systems that contain data besides that of FEHBP members will likewise be evaluated for vulnerabilities.

OPM’s Flash Audit Alert disclosed that the office is unable to ascertain if Health Net is really doing its responsibility as a guardian of FEHBP members’ PHI considering that it does not submit to the necessary audit. OPM said that besides the refusal to go through vulnerability and configuration management screening, Health Net also failed to supply required documents that would allow OPM to verify whether Health Net was able to stop system access of ex-contractors and employees.

Health Net says that it has cooperated with OPM and permitted the agency to perform the audit, despite the fact that the insurance carrier conferred with its lawyer and was cautioned that if it cooperated completely with OPMs demands and subjected to particular parts of the audit procedure, it would risk breaking legal agreements with other third parties. Health Net again says that it will fulfill the requests of OPM and OIG without compromising the security, privacy and confidentiality of members’ and employees’ information. Health Net likewise states that the accusations made by OPM are unproven.