On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people. According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date. The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach.
According to the OCR press release and the resolution agreement, Anthem is one of the largest health insurance companies in the United States, providing coverage for one in eight Americans through its affiliated health plans. As part of its operations, Anthem maintains certain electronic protected health information (ePHI) in central depositories known as data warehouses.
Anthem’s enterprise data warehouse was breached between December 2014 and January 2015. Through a spear phishing attack on an Anthem affiliate, hackers were able to gain access to the data warehouse and steal the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
Before Anthem filed a formal notice with OCR, the agency began a review of Anthem’s compliance with HIPAA’s Privacy and Security Rules and breach notification requirements based on media reports and statements on Anthem’s website about the breach. As a result of its investigation, OCR alleged that Anthem had failed to conduct an enterprise-wide risk analysis relating to its ePHI systems, lacked sufficient procedures to regularly review system activity, and failed to implement minimum access controls over ePHI. OCR also determined that Anthem had failed to identify and respond to suspected or known security incidents.
As part of its settlement with OCR, Anthem agreed to pay $16 million and comply with a two-year Corrective Action Plan (CAP). The CAP requires Anthem, among other things, to develop and implement a risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI information, as well as revise its written policies and procedures regarding access to ePHI and its processes for reviewing activity across its information systems. Anthem also must file annual reports with OCR regarding its compliance with the CAP.
Individuals whose health information was compromised also brought a civil class action suit seeking damages resulting from the breach. As part of the settlement in the case, Anthem agreed to pay $115 million to victims and spend a specified minimum amount per year on information security. Anthem also agreed to revise its cybersecurity practices based on recommendations by the plaintiffs’ cybersecurity expert, update its data retention policies and conduct annual reviews of its information technology security and settlement compliance.
Focus on Risk Analysis and Audit Controls: The Anthem settlement illustrates OCR’s continued focus on bringing enforcement actions targeting failures to perform a comprehensive risk analysis. Several other OCR settlements involving data breaches in recent years similarly highlighted the companies’ failure to conduct an enterprise-wide risk analysis in finding a violation of HIPAA regulations. This trend highlights the importance for businesses that are subject to regulation under HIPAA of performing a thorough risk analysis that covers all data systems holding ePHI.
The Anthem settlement also reflects OCR’s enforcement of audit control standards regarding information systems containing ePHI that were outlined in guidance published in January 2017. The guidance links the performance of a risk analysis and design of mechanisms to record and examine activity in information systems that contain or use ePHI to the development of audit controls required under HIPAA’s Security Rule. Consistent with the guidance, the Anthem agreement specifically requires that the company’s revised cybersecurity policies at minimum include processes for “the regular review of records of information system activity collected by Anthem and . . . evaluating when the collection of new or different records needs to be included in the review” and “provisions to address access between systems containing ePHI, such as network or portal segmentation, and provisions to enforce password management requirements.”
OCR’s “Hands-on” Involvement in Protocol Development: Similar to a prior OCR settlement involving a public health care system, the Anthem settlement provides for active collaboration with OCR in developing the company’s cybersecurity policies and procedures and an appropriate risk analysis strategy. The agreement describes an iterative process whereby Anthem must submit its policies and risk analysis for OCR review and comment until OCR confirms that they comply with HIPAA regulations. This stands in contrast to the SEC, which has typically not inserted itself into the process through which settling companies develop cybersecurity protocols.
Inconsistent Assessments by Regulators: This settlement also highlights the risk of inconsistent determinations from investigations by multiple regulators. A consortium of state insurance agencies also conducted an investigation into Anthem’s data breach. In a report issued before OCR’s settlement, the agencies found that Anthem’s “pre-breach cybersecurity was reasonable.” The agencies did not require any monetary payment as part of the subsequent settlement, although the report noted that Anthem had spent over $110 million providing credit protection to individuals who were affected by the breach and an additional equivalent amount implementing security improvements. OCR, however, found the opposite, stating in the press release that Anthem had failed to “implement appropriate measures for detecting” the hackers or monitor its information systems.