It’s Halloween! The nights have grown longer, black cats and jack-o-lanterns haunt the neighborhood’s porches, and in keeping with the ghoulish spirit of the season, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) has reached its largest-ever settlement. The settlement with Anthem, Inc. follows a well-publicized breach of electronic protected health information (“ePHI”) belonging to 78,800,000 individuals and requires the company to pay $16 million to settle the claims.
According to OCR Director Roger Severino, “[t]he largest health data breach in U.S. history fully merits the largest HIPAA settlement in history.” This settlement is nearly three times larger (i.e., $10.5 million greater) than the previous record of $5.55 million. In addition to the financial component, OCR is requiring substantial corrective action as part of the settlement.
Time to dust off the cobwebs, as it has been some time since some of us have thought about the circumstances of this 2015 breach. Anthem, one of the nation’s largest health benefit companies and an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States, discovered in early 2015 that a series of cyberattacks had exposed the ePHI of almost 79 million people. Cyber-attackers had infiltrated their IT system using an advanced persistent threat attack instituted through spear phishing emails sent to a subsidiary (which were opened by at least one employee). The attackers extracted (i.e., stole) ePHI of nearly 79 million individuals. The breach affected ePHI maintained for Anthem’s affiliated health plans and other covered entity health plans and included identifiers such as names, social security numbers, medical identification numbers, and other identifying elements of the affected individuals.
Under the Health Insurance Portability and Accountability Act (“HIPAA”) breach notification process, Anthem was required to report the breach to HHS, affected individuals, and the media. OCR’s subsequent investigation revealed that Anthem lacked sufficient internal controls to prevent, detect, and respond to the security threat. This included a failure to conduct an enterprise-wide risk analysis, insufficient procedures to regularly review information system activity, failure to identify and respond to suspected security incidents, and failure to implement adequate minimum access controls.
Settlement and Corrective Action Plan
OCR and Anthem entered into a settlement agreement to resolve the matter with HHS and settle the various potential HIPAA violations resulting from the breach. In addition to the monetary portion of the settlement, Anthem is being required to take substantial corrective action to ensure compliance with HIPAA.
The corrective action plan (“CAP”) requires Anthem to conduct a risk analysis for potential vulnerabilities to the ePHI contained in Anthem’s systems and also requires Anthem to submit a statement of work (“SOW”) for the proposed risk analysis (which OCR will review and may provide suggested edits as necessary). OCR will oversee the risk analysis to make sure it comports with both the SOW and the HIPAA Security Rule. Again, OCR may provide technical assistance and recommended changes until OCR determines the risk analysis complies with the SOW and Security Rule.
In addition to the risk analysis, the CAP requires Anthem to review and revise certain policies and procedures. As with the risk analysis, OCR may provide feedback and recommended changes until OCR confirms the policies and procedures comply with the Security Rule.
The settlement also requires Anthem to provide annual reports during the term of the CAP regarding status of and findings regarding compliance with the CAP.
Finally, as if the settlement agreement was not scary enough, the CAP may be extended by HHS if deemed necessary, which could include civil monetary penalties.
While a number of these CAP terms are standard in all levels of OCR HIPAA settlements, the compliance and personnel costs and pressure to meet OCR’s expectations can be significant.
What Does it Mean?
While this phishing attack took place in 2015, it is another example in the increasing trend of phishing campaigns and the significant reach these cyberattacks can have on targeted companies.
Effective preparation can help decrease risk and, while an enterprise-wide risk analysis is important and required, less time consuming efforts can also be extremely effective preventive measures. For example, phishing awareness programs (including an organization phishing campaign) can go a long way in addressing the significant human factor in decreasing these types of cyberattacks.
Up to date policies and procedures and regular reviews of records of information system activity also allow entities to better identify and respond to security incidents prior to a breach and demonstrate appropriate controls (and ideally decrease settlement amounts) in the case of a breach.
Entities regulated by HIPAA should also remember that settlements are just a portion of costs incurred by settling organizations, and organizational costs also include investigation costs (e.g., forensic consultants), mitigation costs (e.g., credit monitoring for affected individuals), reputational costs, immediate and future compliance costs (e.g., new technology, staff, etc.), staff costs (e.g., time spent responding to incidents and investigations), and potential litigation.
In addition to Anthem’s $16 million settlement with OCR, in August of this year, a federal district judge in California granted final approval of a $115 million settlement to a class-action lawsuit brought by 19.1 million individuals potentially affected by the breach.