Two years after a cyberattack on Anthem, one of America’s largest health insurers, the company and the U.S. government are still locked in court battles over lawsuits that aim to make public a range of critical documents from two security audits conducted both right before and immediately after the massive hack.
After some disclosures on the audits in 2016, a federal court ruled this week that a new round of security audit documents will be published. In the same decision, a judge also allowed the government to withhold several documents about the audit that took place just before the cyberattack.
It was revealed in 2015 that hackers gained access to to nearly 80 million records including Social Security numbers, birthdays, addresses, detailed employment information, income data for a wide swath of Americans. Chinese state-sponsored attackers were suspected in the attack, but no official ever presented evidence or spoke on the record about the parties responsible. The U.S. government’s involvement comes into play because a substantial portion of the hacked records includes federal government employees who received health care through the Federal Employee Health Benefits Program.
The attack has resulted in numerous lawsuits claiming Anthem neglected information security, kept their neglect secret and failed to notify customers of the breach in a timely manner. Plaintiffs issued a subpoena to the U.S. Office of Personnel Management (famous for its own milestone data breach) since the agency conducts IT security audits for the insurance carriers it works with.
It was revealed that OPM conducted such an audit in 2013, right before the breach, and immediately after in 2015. Some of that information was released by OPM in May 2016 but much of it was withheld, leading to a motion to compel OPM to release the rest of the records. U.S. District Judge Amit P. Mehta issued a decision this week clarifying new records to be released as well as many that will be withheld.
The documents the court compelled OPM to release include an email thread where OPM asks Anthem why they could not perform their own security and vulnerability scans on Anthem’s networks and then OPM asking for alternatives to such an audit. Several meeting write-ups will be released including one focused on enterprise security, although the judge ruled that most of the documents focused on meetings include privileged information.
Emails that discuss whether Anthem ever successfully implemented the security recommendations of the 2013 audit are being kept secret as are discussions about whether and how to modify contracts between Anthem and the federal government following the data breach.
The court gave two reasons for withholding this information. The deliberative process privilege grants immunity to the executive branch in civil litigation. It’s intended to “encourage open, frank discussions on matters of policy.” It’s a privilege frequently used to withhold records from the public by federal agencies. Law enforcement privilege is even simpler: Materials that are part of an ongoing investigation can be withheld if the government chooses to do so.
Here’s the court order from Monday: