October 18, 2018
Anthem, Inc. agreed to pay $16 million to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy and Security Rules. The settlement is the largest HIPAA settlement ever and is tied to the largest U.S. health data breach in history. The breach was the result of ongoing and systematic cyberattacks, leading to the unauthorized disclosure of the electronic protected health information of almost 79 million people.
The HHS press release issued on October 15, 2018 outlines details of the breach, Anthem’s response to the breach, the OCR investigation, and the ensuing resolution agreement and corrective action plan. Despite the size of the breach and settlement, the resolution agreement and attendant corrective action plan (as compared to previously agreed to resolution agreements and corrective action plans) are relatively straightforward. As described more thoroughly below, at its core, Anthem must: (i) implement a Security Management Process, including the required risk analysis under the Security Rule, (ii) review and revise, as necessary, its written policies and procedures to address certain minimum content requirements; and (iii) distribute those policies and procedures to its workforce members. Though relatively straight-forward, the corrective action plan highlights the OCR’s continued focus on enforcing the key requirements of HIPAA’s Privacy and Security Rules and holding organizations accountable for the actions of individuals in organizations.
The message is clear. Non-compliance with HIPAA and health information data privacy and security requirements continues to be a significant risk for organizations that create, receive, maintain or transmit protected health information (PHI).
Who is Anthem?
Operating throughout the United States as an independent licensee of the Blue Cross and Blue Shield Association, Anthem provides medical care coverage to more than 40 million Americans through affiliated health plans. As a health plan and a business associate of other health plans, Anthem is required to comply with the HIPAA Rules.
The Breach and Reporting of the Breach
Anthem filed a breach notification report with the HHS OCR on March 13, 2015. The report detailed the January 29, 2015 discovery that cyber-attackers had infiltrated Anthem’s IT system through an undetected, continuous and targeted cyberattack for the apparent purpose of extracting data (otherwise known as an advanced persistent threat attack). The investigation revealed that this breach persisted from December 2, 2014 until January 27, 2015.
Anthem’s investigation revealed that successful spear phishing emails sent to an employee at a subsidiary allowed the cyber-attackers to infiltrate the entire Anthem system. Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information.
OCR’s subsequent investigation concluded:
- Cyber-attackers stole the names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information of approximately 78,800,000 individuals, potentially violating 45 C.F.R. § 164.502(a);
- Anthem failed to conduct an enterprise-wide risk analysis, as required by 45 C.F.R. § 164.308(a)(1)(ii)(D);
- Anthem had insufficient procedures to regularly review information system activity, as required by 45 C.F.R. § 164.308(a)(1)(ii)(D);
- Anthem failed to identify and respond to suspected or known security incidents, as required by 45 C.F.R. § 164.308(a)(6)(ii); and
- Anthem failed to implement adequate minimum access controls (technical policies and procedures) to prevent cyber-attackers from accessing electronic PHI, as required by 45 C.F.R. § 164.308 (a)(4).
Record Payment Settlement Agreement
OCR publicized the resolution agreement and corrective action plan with Anthem on October 15, 2018. Although the resolution agreement is neither an admission of liability by Anthem nor a concession by HHS that Anthem did not violate HIPAA rules, it highlights the focal points of OCR’s investigative concerns. The agreement resolves potential violations of HIPAA Rules related to the alleged covered conduct, and as part of the resolution agreement:
- Anthem agreed to pay a fine to HHS of $16 million;
- Anthem agreed to enter into a corrective action plan; and
- HHS agreed to release Anthem of any actions it has against Anthem arising out of covered conduct, conditioned upon Anthem’s performance under the resolution agreement and corrective action plan.
OCR Director Roger Severino commented that the largest HIPAA settlement was warranted for the largest health data breach in U.S. history. The $16 million settlement was nearly triple that of OCR’s prior largest $5.5 million settlement with Advocate in 2016. Roger Severino said, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information.” As hackers target large healthcare entities, the large entities are expected to have strong password policies and to monitor and respond to security in a timely fashion or risk enforcement by OCR.
In the two-year corrective action plan, Anthem agreed to:
- Conduct an accurate and thorough Risk Analysis of risks and vulnerabilities of the electronic PHI held by Anthem;
- Review and revise policies and procedures on Information System Activity Review and Access Control, as required by 45 C.F.R. § 164.308(a)(1)(ii)(D) and 45 C.F.R. § 164.312(a)(1), respectively, and to provide them to HHS for review;
- Make the revised Information System Activity Review and Access Control policies available to Anthem’s workforce; and
- Investigate reports of non-compliance with the Information System Activity Review and Access Control policies and to report material failures to HHS.
Anthem additionally agreed to file a report attesting to implementation of the updated policies and procedures and to the submission of accurate information to HHS 120 days after the effective date of the corrective action plan and each year following the effective date of the corrective action plan.
Class-action Civil Lawsuit
In addition to the OCR settlement, in June of 2017, Anthem settled a civil class-action lawsuit resulting from the same data breach. This was also the largest data breach settlement at the time, $115 million.
As noted, the Anthem resolution agreement and corrective action plan with OCR are relatively straightforward, especially when compared to prior resolution agreements and corrective action plans. The takeaways are equally straightforward:
- Healthcare organizations continue to endure threats to the security of their PHI and electronic PHI.
- Organizational risk of data breaches continues to grow in frequency and magnitude. The number of HIPAA breaches reported to OCR has grown year over year, and as can be seen here, the financial penalties continue to grow.
- Management must recognize the inherent risk of insufficient data privacy and security infrastructure in its operations.
- Organizations can mitigate risks to its health information data privacy and security through robust Data Privacy and Security Programs that account for the particular risks of an organization.
- Data Privacy and Security Programs must touch every component and every person within an organization. Any weak spot in an organization’s Data Privacy and Security Program can expose an organization to looming threats. The Anthem breach particularly enforces this point. One employee can place the data security of an entire organization at risk.
- The Training and Education element of an effective Data Privacy and Security Program provides a platform to educate all levels of workforce and employees and bring about a culture of awareness of likely threats and that recognizes and responds to potential threats to data security.
- An overwhelming percentage of the data breaches reported to OCR stem from the non-malicious actions of individual actors, as opposed to a weakened IT infrastructure. Considering that a single employee can have access to massive amounts of patient and individual data, a strong paper Data Privacy and Security Program is not enough. Each employee must adopt the principles of the organization’s Data Privacy and Security Program.
Ankura’s team of Risk & Compliance professionals are well-versed in matters involving data privacy and security, including health information privacy and security, and can assist organizations in assessing the effectiveness of their Data Privacy and Security Programs.