Resolution Agreement: Anthem, Inc. (Oct. 15, 2018); HHS Press Release (Oct. 15, 2018)
Anthem, Inc. has entered into a record-breaking $16 million resolution agreement in connection with the massive data breach the company reported to HHS’s Office for Civil Rights (OCR) in 2015 (see our Checkpoint article). Described by HHS as the largest U.S. health data breach in history, a series of cyberattacks exposed the protected health information (PHI)) of almost 79 million people. The HIPAA resolution agreement comes on the heels of Anthem’s recent $115 million settlement of a class action lawsuit brought by individuals affected by the breach (see our Checkpoint article).
OCR’s investigation began after Anthem filed a breach notification report detailing a continuous and targeted cyberattack discovered in late January 2015. After filing the breach report in March 2015, Anthem discovered that attackers had infiltrated information systems through spear-phishing emails, leading to the theft of PHI starting in early December 2014. In addition to the $16 million settlement under the resolution agreement, Anthem is required to undertake a two-year corrective action plan (CAP) to comply with the HIPAA security rules. The CAP includes conducting a thorough risk analysis—supervised by OCR—of the risks and vulnerabilities with respect to electronic PHI held by Anthem. The company must review, revise, and submit for OCR review its written policies and procedures for security rule compliance—specifically addressing information system activity review and access control—and distribute them to its workforce following OCR approval. It also must provide periodic reports to HHS detailing any violation of the policies and procedures by members of its workforce.
EBIA Comment: The delay between the start of the cyberattacks and Anthem’s discovery of the breaches almost certainly influenced the size of the penalty. More robust policies and procedures to limit access to PHI, review information system activity, and respond to security incidents may have enabled Anthem to detect the attacks sooner and contain the damage. As cyberattacks are increasingly viewed as inevitable in a digital world, a company’s detection, response, and recovery functions take on greater importance and must complement protective measures. In developing a more comprehensive approach, covered entities and business associates may be interested in the recently enhanced Security Risk Assessment Tool, provided by OCR in collaboration with the HHS Office of the National Coordinator for Health Information Technology (ONC). HHS touts the updated version of this popular tool (first released in 2014—see our Checkpoint article) as more user-friendly and more broadly applicable to the risks of the confidentiality, integrity, and availability of health information. Through a series of interactive questions, the tool walks users through a seven-part risk assessment, addressing topics such as security policies, access control, activity monitoring, encryption, physical safeguards, business associates, and contingency planning. The holistic approach embodied in the tool can help increase the protection and resilience of information systems to threats and vulnerabilities to PHI. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXV (“Breach Notification for Unsecured PHI”) and XXX (“Core Security Requirements”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 1/17/18).
Contributing Editors: EBIA Staff.