On October 15, 2018 OCR announced a $16 million settlement with Anthem over the 2015 breach of 79 million individuals’ protected health information. It’s the largest settlement amount in OCR history, and the largest healthcare data breach to date since HIPAA was implemented. In addition to the dollar payment, Anthem signed a Resolution Agreement and is also subjected to a two year Corrective Action Plan.
Paul Hales, J.D., the author of The HIPAA E-Tool® has been answering questions this morning from the press about his take on the settlement, and we are publishing an excerpt of those Qs and As here.
Q: What do you think about penalty amount?
$16 Million Resolution Amount is eye-catching evidence of OCR’s commitment to enforce HIPAA.
Anthem would be liable for significantly larger civil money penalty if it did not settle – and is still liable if it fails to meet OCR’s Corrective Action Plan requirements.
Q: What do you think about the OCR findings?
OCR’s findings, beginning with Anthem’s failure to perform an accurate and thorough Risk Analysis are not surprising.
Failure to perform Risk Analysis and manage identified risks is the most serious HIPAA violation among Covered Entities and Business Associates of all types and sizes.
Risk Analysis and Risk Management is the basis of a HIPAA compliance program.
Phase II Audit findings indicate failure to perform Risk Analysis – Risk Management is at the heart of our national health privacy information crisis with more than 177 Million Americans affected by a breach of their protected health information since record-keeping began in September, 2009.
OCR Director Roger Severino pledged to focus enforcement on egregious cases. It’s noteworthy that both the Anthem and Fresenius Resolution Agreement (of February 1, 2018) emphasize the importance of enterprise-wide Risk Analysis. Risk analysis is site-specific.
Q: What are the big lessons here for other Covered Entities and Business Associates?
The HIPAA Rules are a blueprint to protect your organization and an individual’s protected health information you create, receive, maintain or transmit.
Enterprise wide, site-specific Risk Analysis and Risk Management are essential.
Safeguards to address identified risks threats must be established or strengthened as appropriate.
HIPAA policies and procedures must be reviewed and revised as appropriate to incorporate necessary safeguards and comply with the HIPAA rules.
Workforce members must be trained to follow the organization’s HIPAA compliance policies and procedures.
Q: Did the U.S. ever identify who was behind attack and why? Rumors had been about China gathering intelligence on U.S. citizens. Do we have any confirmation of that?
The California Department of Insurance states an investigation conducted by Alvarez & Marsal Insurance and Risk Advisory Services, LLC determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government. It does not identify the foreign government. See here and also here and more here.
News reports indicate the malicious software was a variant of “Sakula” developed in China. On August 21, 2017 Yu Pingan was indicted in the U. S. District Court for the Southern District of California and alleged to be a malware broker in the People's Republic of China who employed “Sakula” to attack U. S. computer systems. Here is the complaint against Yu Pingan in federal court.
I am not aware of any public statement by government authorities or others that the Chinese government instigated the Anthem attack.
Anthem’s Resolution Agreement and Corrective Action Plan can be found here.
If you have questions about the significance of the Anthem settlement, or what it might mean for your organization, whether you are a covered entity or a business associate, let us know.