U.S. OFFICE OF PERSONNEL
MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
AUDIT OF THE INFORMATION SYSTEMS
GENERAL AND APPLICATION CONTROLS AT
ANTHEM BLUE CROSS BLUE SHIELD
Report Number 1A-10-62-16-003
August 15, 2016
-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY
Audit of the Information Systems General and Application Controls at
Anthem Blue Cross Blue Shield
Report No. 1A-10-62-16-003 August 15, 2016
Background What Did We Find?
Anthem Blue Cross Blue Shield Our audit of the IT security controls of Anthem determined that:
(Anthem) contracts with the U.S. Anthem has implemented an incident response and network
Office of Personnel Management as security program. Anthem has also implemented preventative
part of the Federal Employees controls at the network perimeter and performs security event
Health Benefits Program (FEHBP). monitoring throughout the network. However, we noted
several areas of concern related to Anthem’s network security
controls:
Why Did We Conduct the Audit?
o Anthem’s computer server and database inventories
The objectives of this audit were to
revealed that Anthem has numerous servers running
evaluate controls over the unsupported versions of operating systems.
confidentiality, integrity, and o Our vulnerability assessment identified numerous servers
availability of FEHBP data containing vulnerabilities such as missing patches,
processed and maintained in noncurrent software, and weak configuration settings. The
Anthem’s information technology vast majority of the servers containing vulnerabilities were
(IT) environment. This engagement inherited from a separate company that was recently
was a follow-up audit where we acquired by Anthem. These servers were migrated into
Anthem’s network before they were fully integrated into
performed test work that we were
Anthem’s vulnerability management, patching, and
restricted from completing during a configuration management programs.
prior audit of Anthem (Report No.
Anthem has developed formal configuration management
1A-10-00-13-012). At the time of policies, has documented security configuration settings for its
the previous audit Anthem was operating platforms, and performs routine configuration
known as WellPoint, Inc. compliance auditing.
What Did We Audit?
The scope of this audit centered on
the information systems used by
Anthem to process and store data
related to insurance claims for
FEHBP members.
______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS
the Act The Federal Employees Health Benefits Act
Anthem Anthem Blue Cross Blue Shield
BCBS Blue Cross Blue Shield
BCBSA Blue Cross Blue Shield Association
CFR Code of Federal Regulations
DO Director’s Office
FEHBP Federal Employees Health Benefits Program
FEP Federal Employee Program
FISCAM Federal Information Systems Control Audit Manual
GAO U.S. Government Accountability Office
IT Information Technology
NIST SP National Institute of Standards and Technology’s Special Publication
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
Plan Anthem Blue Cross Blue Shield
ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ......................................................................................... i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................4
A. Network Security .....................................................................................................4
B. Configuration Management .....................................................................................9
IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................11
APPENDIX: Anthem Blue Cross Blue Shields’s July 7, 2016 response to the draft
audit report, issued April 27, 2016.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
IV. MAJOR CONTRIBUTORS
I. BACKGROUND
TO THIS REPORT
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Anthem Blue Cross Blue
Shield (Anthem or Plan).
The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
The Blue Cross Blue Shield Association (BCBSA), on behalf of participating Blue Cross and
Blue Shield (BCBS) plans, has entered into a Government-wide Service Benefit Plan contract
(CS 1039) with OPM to provide a health benefit plan authorized by the FEHB Act. The
Association delegates authority to participating local BCBS plans throughout the United States,
such as Anthem, to process the health benefit claims of its federal subscribers.
The Association has established a Federal Employee Program (FEP) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.
All Anthem personnel that worked with the auditors were helpful and open to ideas and
suggestions. Their positive attitude and helpfulness throughout the audit was greatly
appreciated.
1 Report No. 1A-10-62-16-003
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in Anthem’s information technology (IT)
environment. We accomplished these objectives by reviewing IT security controls related to
Anthem’s network security and configuration management.
Scope and Methodology
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of Anthem’s internal controls through interviews and observations, as
well as inspection of various documents, including IT and other related organizational policies
and procedures. This understanding of Anthem’s internal controls was used in planning the audit
by determining the extent of compliance testing and other auditing procedures necessary to
verify that the internal controls were properly designed, placed in operation, and effective.
This engagement was a follow-up audit where we performed test work that we were restricted
from completing during a prior audit of Anthem. (Report No. 1A-10-00-13-012). At the time of
the previous audit Anthem was known as WellPoint, Inc. All recommendations from the prior
audit have been closed. The business processes reviewed are primarily located in Anthem’s
Indianapolis, Indiana facility.
The on-site portion of this audit was performed in November of 2015. We completed additional
audit work before and after the on-site visit at our office in Washington, D.C. The findings,
recommendations, and conclusions outlined in this report are based on the status of information
system general controls in place at Anthem as of April 2016.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
Anthem. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
2 Report No. 1A-10-62-16-003
In conducting this review we:
Gathered documentation and conducted interviews;
Reviewed Anthem’s business structure and environment;
Performed a risk assessment of Anthem’s information systems environment and applications,
and prepared an audit program based on the assessment and the Government Accountability
Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and
Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluating Anthem’s
control structure. These criteria include, but are not limited to, the following publications:
Title 48 of the Code of Federal Regulations;
U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;
OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
Information Technology Governance Institute’s COBIT: Control Objectives for Information
and Related Technology;
GAO’s FISCAM;
National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations; and
NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether Anthem’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Anthem was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.
3 Report No. 1A-10-62-16-003
III. AUDIT FINDINGS AND RECOMMENDATIONS
A. Network Security
Network security includes the policies and controls in place to manage and monitor the use and
security of a computer network and network-accessible resources.
We noted that Anthem has implemented the following network security controls:
Preventive controls at the network perimeter;
Security event monitoring throughout the network; and
A thorough incident response program.
The following sections document opportunities for improvement related to Anthem’s network
security controls.
1. System Lifecycle Management
A review of Anthem’s computer server and database inventories Anthem has
revealed that Anthem has numerous servers running unsupported numerous servers
versions of operating systems. Software vendors typically running unsupported
advertise the dates that they will no longer provide support or versions of operating
distribute security patches for their products (referred to as end- systems.
of-life dates). In order to avoid the risk associated with having
critical business operations dependent on unsupported software, organizations should have a
process in place to anticipate end-of-life dates and phase out the deployment of such software
prior to this window of exposure.
We were told that Anthem has an infrastructure lifecycle management program to eliminate
end-of-life hardware and operating systems. The goal of the program is to
However,
our review identified servers that are running unsupported versions of operating
systems and over of those have not been supported for more than . The large
number and significant length time that servers have been unsupported indicates that
Anthem’s infrastructure lifecycle management program is not effective in its current form.
NIST SP 800-53, Revision 4, recommends that organizations replace “information system
components when support for the components is no longer available from the developer,
vendor, or manufacturer . . . .” NIST SP 800-53, Revision 4, also states that “Unsupported
components . . . provide a substantial opportunity for adversaries to exploit new weaknesses
discovered in the currently installed components.”
4 Report No. 1A-10-62-16-003
Failure to upgrade system software could leave information systems vulnerable to known
attacks without the possibility of remediation.
Recommendation 1
We recommend that Anthem update its policies and procedures to ensure that information
systems are upgraded .
Anthem Response
“Anthem maintains a comprehensive infrastructure lifecycle management program; the
program is designed to ensure that server operating systems remain current and supported
by vendors.
A ‘refresh history’ is developed for each server and application within
the Anthem environment, detailing the current status of the server or application within
the infrastructure lifecycle.
Anthem tracks the refresh history for each server and application within its environment.
As with any business that relies on changing technology, there are certain situations in
which migrating applications to a new version would be either impractical or impossible.
For example, a mission-critical application may become unstable if migrated to a newer
operating system version. In these cases, the Anthem information security team
documents the risks associated with maintaining the application and communicates these
risks to Anthem business owners as well as IT leadership. Where appropriate, the
information security team follows an exceptions process consistent with Anthem’s
Information Security Risk Exception Request Procedure, provided as Exhibit 1.1.
company acquisitions were migrated into the overall Anthem
lifecycle management program, resulting in the integration of new servers into
the Anthem environment. Following the acquisitions, Anthem surveyed and prioritized
acquired servers for refresh based on the risk profile presented. These systems were
integrated into the infrastructure lifecycle management program in
. A screenshot
from Anthem’s Security Exception Tracker system, attached as Exhibit 1.2, provides a
sample of the documentation created describing risk mitigation efforts for servers that had
been acquired by Anthem.
5 Report No. 1A-10-62-16-003
As part of its ongoing infrastructure lifecycle management program, in the time that has
elapsed since the OPM completed its assessment work,
The remaining such servers in the Anthem environment have been integrated into
one of the following phases of the refresh process described above:
OIG Comment
Anthem’s response to our draft audit report discusses an “exception process” to document
servers that are not refreshed in accordance with the organization’s infrastructure lifecycle
management program. Although it’s beneficial to document the risk associated with
maintaining outdated hardware or software, such documentation does little to actually reduce
that risk. As mentioned above, servers ( percent of all of Anthem’s servers
according to the inventory provided during the audit) are unsupported. While we would
expect there to be exceptions to a small population of servers, the sheer number of
unsupported servers indicates that the infrastructure lifecycle management program is not
operating as intended. We continue to recommend that Anthem update its policies and
procedures to ensure that information systems are upgraded to current versions prior to the
end of vendor support.
2. Server Migration/Integration
We performed a credentialed vulnerability assessment using Anthem migrated servers
automated tools against a sample of servers selected from into its network that were
Anthem’s system inventory. The vulnerability assessment not fully integrated into
identified numerous servers containing vulnerabilities such as its vulnerability
missing patches, noncurrent software, and weak management, patching,
configuration settings. Anthem has relatively mature or configuration
vulnerability, patch, and configuration management management programs.
programs in place, so we would have expected the
organization to have already detected these vulnerabilities and to have a corrective action
plan in place.
Upon further research it was determined that the vast majority of the servers containing
vulnerabilities were previously owned and operated by another company that was recently
acquired by Anthem. These servers were migrated into Anthem’s network, but it is apparent
that they were not fully integrated into Anthem’s vulnerability management, patching, or
configuration management programs.
6 Report No. 1A-10-62-16-003
We believe that Anthem should be extremely cautious when migrating new servers into its
technical environment. We acknowledge that Anthem must consider a wide variety of
business implications when it acquires new IT assets as part of a merger or acquisition, but
the risks associated with introducing vulnerabilities into the environment should be nearly
impossible to justify as a business decision. Anthem has dedicated significant time and
resources toward implementing IT controls to protect sensitive data, but the introduction of
unsecure devices could undermine these efforts.
NIST SP 800-53, Revision 4, states that the organization should scan for “vulnerabilities in
the information system and hosted applications [on a routine basis] and when new
vulnerabilities potentially affecting the system/applications are identified and reported.”
NIST SP 800-53, Revision 4, also states that security-relevant software and firmware updates
should be installed within timeframes defined by the organization. While Anthem has an
adequate process for scanning and patching most of its systems, the process should be
applied to all systems.
Recommendation 2
We recommend that Anthem determine what additional controls it can implement to ensure
that all servers are fully integrated into the Anthem configuration, patch, and vulnerability
management programs before being migrated into the network environment.
Anthem Response
7 Report No. 1A-10-62-16-003
As noted by OPM, the vast majority of the servers containing vulnerabilities were
previously owned by other companies that were recently acquired by Anthem. As with all
companies that acquire active companies that rely on existing technology to operate their
businesses, Anthem must determine how to integrate the acquired company’s technology
in a manner that is both efficient and sensitive to security concerns.
Anthem is currently reviewing its policies and procedures to further enhance its decision-
making framework governing the integration of acquired servers, including by
OIG Comment
The evidence received in response to the draft audit report indicates that Anthem’s
already required servers to be integrated into
Anthem configuration, patch, and vulnerability management programs prior to deployment
into the production environment. Anthem also provided evidence that indicates that it has
additional policies that require the
This additional information increases our concern, as it demonstrates that Anthem violated its
own corporate policies by migrating these servers containing security weaknesses into its
environment. Therefore, we modified our draft report recommendation and now recommend
that Anthem determine what additional controls it can implement to ensure that all servers
8 Report No. 1A-10-62-16-003
are fully integrated into the Anthem configuration, patch, and vulnerability management
programs before being migrated into the network environment. Anthem’s new requirement
to obtain the approval of the
is a good first step in this process.
Recommendation 3
We recommend that Anthem provide evidence that the vulnerability and configuration issues
identified in our assessment specific to the acquired company’s servers have been
remediated.
Anthem Response
“Anthem will be providing the evidence requested by OPM through established channels.
This evidence demonstrates that the vulnerabilities or configuration management issues
identified by OPM have been addressed within the Anthem environment. If OPM does not
agree that these issues have been remediated, Anthem would appreciate the opportunity to
provide additional evidence to OPM prior to publication of OPM’s final report.”
OIG Comment
As a part of the audit resolution process, we recommend Anthem provide OPM’s Healthcare
and Insurance Audit Resolution Group with evidence that it has remediated the vulnerability
and configuration issues identified in our assessment specific to the acquired company’s
servers.
B. Configuration Management
Configuration management controls are the policies and Anthem has documented
procedures that ensure that system software such as operating security configuration
systems and databases are configured securely. We evaluated settings for its operating
Anthem’s configuration management program as it relates to the platforms and performs
systems that support the processing of FEHBP claims, and routine configuration
determined that the following controls were in place: compliance auditing.
Configuration management policies and procedures;
Documented baseline configurations for all operating systems in use;
Routine configuration compliance auditing; and
A system software change control process.
9 Report No. 1A-10-62-16-003
Although Anthem has a mature configuration management program in place, as mentioned
above, these controls have not yet been applied to at least one set of servers that were acquired
from another company. We reiterate the importance of enforcing configuration management
controls to all devices in Anthem’s network.
10 Report No. 1A-10-62-16-003
IV. MAJOR CONTRIBUTORS TO THIS REPORT
INFORMATION SYSTEMS AUDIT GROUP
, IT Auditor
, IT Auditor
, Senior Team Leader
, Group Chief
11 Report No. 1A-10-62-16-003
APPENDIX
Federal Employee Program
1310 G Street, N.W.
Washington, D.C. 20005
202.626.4800
www.BCBS.com
July 7, 2016
Chief, Information Systems Audits Group
U.S. Office of Personnel Management (OPM)
1900 E Street, Room 6400
Washington, D.C. 20415-1100
Reference: OPM DRAFT IT AUDIT REPORT
Anthem Blue Cross Blue Shield Follow-Up
Audit Report Number 1A-10-62-16-003
(Dated April 27, 2016)
Dear :
Please find enclosed a copy of Anthem’s responses to the Office of the Inspector
General (OIG) recommendations included in the draft audit report of the information
technology audit conducted of Anthem, Inc. and dated April 27, 2016. If you have any
questions or concerns, please do not hesitate to contact me at .
Sincerely,
Managing Director
FEP Program Assurance
Report No. 1A-10-62-16-003
July 5, 2016
Chief, Information Systems Audits Group
U.S. Office of Personnel Management (OPM)
1900 E Street, Room 6400
Washington, D.C. 20415-1100
Reference: OPM DRAFT IT AUDIT REPORT
Anthem Blue Cross Blue Shield Follow-Up
Audit Report Number 1A-10-62-16-003
(Dated April 27, 2016)
The following represents the Response of Anthem, Inc. to the recommendations
included in the draft report of the audit conducted by the Office of the Inspector General
at the U.S. Office of Personal Management (OPM). Anthem has appreciated the
opportunity to work with OPM’s auditors throughout this process.
Anthem’s Response contains confidential, proprietary and/or trade secret information of
Anthem and/or its affiliated entities and customers. The public use or disclosure of the
information provided in this response would cause harm, including competitive harm, to
the Company. The information provided Anthem’s Response is exempt from public
disclosure pursuant to the Freedom of Information Act (FOIA) regulations, 5 U.S.C.
§ 552. Accordingly, the information provided in this Response, as well as
corresponding documentation, may not be released in response to a freedom of
information request or under any other circumstances. Should OPM determine that any
portion of the information and documentation provided is not exempt from disclosure,
Anthem requests that OPM provide two weeks’ notice of such determination so that
Anthem may take appropriate steps, including obtaining an appropriate protective order
or other relief from a court of competent jurisdiction, to protect this information from
disclosure. Anthem expressly reserves any applicable privileges or immunities to which
it is entitled by applicable law.
Similarly, the current draft of OPM’s findings and recommendations also contains
confidential, proprietary and/or trade secret information of Anthem and/or its affiliated
entities, the public disclosure of which would cause harm, including competitive harm, to
Anthem and/or its affiliated entities and customers. For that reason, Anthem will submit
a version OPM’s draft report that redacts out this highly sensitive information. We repeat
the requests in the above paragraph with respect to FOIA and the opportunity to take
appropriate steps before any of the redacted information is produced or disclosed.
Anthem also requests an opportunity to review the final version of OPM’s report, before
that document becomes public, in order to review that final report for confidential,
Report No. 1A-10-62-16-003
proprietary and/or trade secret information and propose redactions to the final report to
protect such information from public disclosure.
We appreciate the opportunity to provide our response to each of the recommendations
in this report and request that our comments be incorporated into the Final Audit Report.
If you have any questions, please contact me at .
Sincerely,
Director, FEP Compliance/Internal Control
cc:
Report No. 1A-10-62-16-003
Anthem’s Comments Related to Draft Recommendations
A. Network Security
Plan Response
The network security controls noted by OPM describe a subset of Anthem’s comprehensive
network security program. Among the information omitted from the description is the fact that
Anthem operates a Cyber Security Operations Center (“CSOC”).
1. System Lifecycle Management
Recommendation 1
We recommend that Anthem update its policies and procedures to ensure that information
systems are upgraded to current versions prior to the end of vendor support.
Anthem Response
Anthem maintains a comprehensive infrastructure lifecycle management program; the
program is designed to ensure that server operating systems remain current and supported
by vendors.
A “refresh history” is developed for each server and application within
the Anthem environment, detailing the current status of the server or application within the
infrastructure lifecycle.
Anthem tracks the refresh history for each server and application within its environment. As
with any business that relies on changing technology, there are certain situations in which
migrating applications to a new version would be either impractical or impossible.
In these cases, the Anthem information security team documents
the risks associated with maintaining the application and communicates these risks to
Anthem business owners as well as IT leadership. Where appropriate, the information
security team follows an exceptions process consistent with Anthem’s Information Security
Risk Exception Request Procedure, provided as Exhibit 1.1.
company acquisitions were migrated into the overall Anthem lifecycle
management program, resulting in the integration of new servers into the
Anthem environment. Following the acquisitions, Anthem surveyed and prioritized acquired
servers for refresh based on the risk profile presented. These systems were integrated into
the infrastructure lifecycle management program in
Report No. 1A-10-62-16-003
. A screenshot from Anthem’s
Security Exception Tracker system, attached as Exhibit 1.2, provides a sample of the
documentation created describing risk mitigation efforts for servers that had been acquired
by Anthem.
As part of its ongoing infrastructure lifecycle management program, in the time that has
elapsed since the OPM completed its assessment work,
The remaining such servers in the Anthem environment have been integrated into
one of the following phases of the refresh process described above:
2. Server Migration/Integration
Recommendation 2
We recommend that Anthem update its policies and procedures to require all servers
to be fully integrated into the Anthem configuration, patch, and vulnerability
management program before being migrated into the network environment.
Plan Response
Report No. 1A-10-62-16-003
As noted by OPM, the vast majority of the servers containing vulnerabilities were previously
owned by other companies . As with all companies
that acquire active companies that rely on existing technology to operate their businesses,
Anthem must determine how to integrate the technology in a manner that
is both efficient and sensitive to security concerns.
Anthem is currently reviewing its policies and procedures to further enhance its decision-
making framework governing the integration of acquired servers, including by
Recommendation 3
We recommend that Anthem provide evidence that the vulnerability and configuration
issues identified in our assessment specific to the acquired company’s servers have been
remediated.
Plan Response
Anthem will be providing the evidence requested by OPM through established channels. This
evidence demonstrates that the vulnerabilities or configuration management issues identified
by OPM have been addressed within the Anthem environment. If OPM does not agree that
these issues have been remediated, Anthem would appreciate the opportunity to provide
additional evidence to OPM prior to publication of OPM’s final report.
Report No. 1A-10-62-16-003
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
Audit of the Information Systems General and Application Controls at Anthem Blue Cross Blue Shield
Published by the Office of Personnel Management, Office of Inspector General on 2016-08-15.
Below is a raw (and likely hideous) rendition of the original report. (PDF)