The 2015 Anthem data breach could have been a watershed moment for HIPAA privacy and security in many ways.  It remains to be seen if the settlement with OCR turns out to be another one.  Either way, the historic breach and historic settlement have many lessons for us to learn.  Let’s discuss Anthem settlement lessons today.

HIPAA For MSPs by David Sims Anthem Settlement Lessons
00:00:00 00:00:00

Anthem Settlement Lessons

This breach happened before we had the podcast up and running so we have never discussed the details.  Now, seems like a good time to review it since there is such big news about it.  Something about a $16 million payment gets people to pay attention.  Before we get started with our Anthem settlement lessons less review the breach a moment.

It is important to note the settlement is with the Business Associate Anthem who provides services for the affiliated covered entities of the various health plans.

The timeline starts back on Feb. 18, 2014, when a user within one of Anthem’s subsidiaries opened a phishing email containing malicious content.  (I assume it was the business associate here.)  The email launched the malware that allowed hackers to gain access to that computer and dozens of other systems across the networks, including their data warehouse systems.

After that intrusion, they could keep going further.  They were moving around the network and escalating privileges as they went.  The standard protocol for hackers working their way through a network.

The forensics report says they determined how it went from there:

“The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem enterprise environment including, eventually, the company’s enterprise data warehouse – a system that stores a large amount of consumer personally identifiable information,” the report notes. “Queries to that data warehouse resulted in access to an exfiltration of approximately 78.8 million unique user records.”

They didn’t discover the breach until January 27, 2015.  The states impacted got together and all of the insurance commissioners did a joint investigation.  Their report includes a lot of details.  They found that the company immediately activated their Incident Response plan.  At that point, they were able to stop the intruder activity by January 30, 2015.  The investigation determined that the response plan worked very well.  Basically, the report says Anthem had problems that let the attacker’s in and prevented them from detecting them for almost a year.

While the pre-breach deficiencies impacted Anthem’s ability to reduce the likelihood of and quickly detect the Data Breach, the controls implemented subsequent to the Data Breach should improve Anthem’s ability to detect future breaches and enable Anthem to respond more effectively to a future attack that was the case in this instance.

A settlement with state insurance commissioners

Eventually, the states settled with Anthem for the state insurance commissioners.  The settlement included their fairly confident belief that the “attacker was working on behalf of a foreign government”.  I often mention how healthcare data can be used by those attackers in so very many ways.

The states took pity on Anthem and noted all the expenses that they had incurred to date.  The states wanted Anthem to commit to spending money on cybersecurity and elected not to hit them with another fine.  Anthem did agree to spend more money implementing security upgrades and adding a special program for credit protection of minors.

The spending at the time of that settlement, which was in December 2016, included:

  • $2.5 million to engage expert consultants;
  • $115 million for the implementation of security improvements;
  • $31 million to provide initial notification to the public and affected individuals
  • $112 million to provide credit protection to breach-impacted consumers

That was a total of $260.5m they had spent at that time.  Anthem committed to paying for credit monitoring and upgrades to their security and security monitoring tools.

The lack of details about how the phishing attacked worked and how they were able to infiltrate for so long with so much success.  That would help us all do better to protect ourselves.  However, the foreign state involvement may be the most important reason more details were never provided.

Fast forward through a bunch of investigations and legal maneuvers that resulted in a settlement on the civil lawsuits in August this year.  That settlement was also one of the largest settlements in a consumer data breach case in history.  The total of $115m covering 19.1 million of the 79 million patients breached.  That gets us up to $375.5m for this one data breach before OCR got their bite out of them.

OCR gets their turn next

So, now we have made it to the OCR settlement and our review of it.  The settlement summary puts in a few different details in the mix.  It still does not give us the specifics of how it happened as in the malware and techniques used.  Since it was a nation-state attack there actually may be some National Security concerns in the details.  Even with portions withheld, we have plenty of Anthem settlement lessons to learn.

The OCR announcement does mention that they know that the attack goes back to the Feb 18.  Apparently, the exfiltration of data happened in December and January according to the breach announcement that is when the disclosures happened. The attackers were in there watching and wandering around the whole year doing some other kinds of things from Feb through Nov 2014, though.

As always the most telling part is the statement from the OCR director in every one of these announcements.  That statement always tells us the point they are trying to make with this settlement.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.  “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Director Severino continued, “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

According to the OCR viewpoint of what happened, we have some additional timeline details.  We can put it together this way.

  • Feb. 18, 2014 – Phishing attack happens and the infiltration begins according to insurance commissioners report.
  • Between December 2, 2014, and January 27, 2015 data exfiltration took place
  • January 27, 2015 – Insurance commissioners report says they found the attacker.
  • January 29, 2015 – OCR press release says this is when “they discovered cyber-attackers had gained access to their IT system”.
  • January 30, 2015 – Attack mitigated according to the investigation report
  • March 13, 2015 – Anthem reports to OCR they have a breach
  • December 2016 – Settlement with Insurance Commissioners
  • June 23, 2018 – Civil suit settlement for $115m
  • October 2018 – OCR settlement
  • October 2020 – End of the agreed CAP

In their list of things that OCR noted as failures in compliance other than the improper disclosure of 79 million people include the following failures:

  • The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem
  • The requirement to implement sufficient procedures to regularly review records of information system activity
  • The requirement to identify and respond to detections of the security incident leading to this breach
  • The requirement to implement sufficient technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights
  • The requirement to prevent unauthorized access to the ePHI of 78,800,000 individuals whose information was maintained in Anthem’s enterprise data warehouse

Nothing new in the list here for failures that get people to these kinds of settlements agreements.  The fact that this one was so massive makes the dollar amount stand out.  It is 3 times the largest one in the past which was $5.5m.  The additional $16m paid to OCR will certainly help fund some more investigations. Note to self.

The OCR check brings the total amount that was at $375.5m up to $391.5m.  Now we can round up to $400,000,000.  According to the OCR statements, they didn’t go after more money because of the amounts they have already paid.  However, Severino also mentioned that they wanted to raise the caps for the fines and penalties they can charge.

The two-year corrective action plan included in the settlement.

As always with these types of settlements, there is the CAP that gets added on for two years.  Anthem “will undertake a robust corrective action plan to comply with the HIPAA Rules” means they have a list of requirements.  We did an entire episode on what these CAPs mean but now is a good time to point out what they have committed to do for the next two years.

Keep in mind if they fail to meet the CAP requirements the settlement goes back to the drawing board and OCR can recalculate the amount of money they need to receive from Anthem.  That could be a serious penalty for any of these settlements. Here is a taste of those requirements.

  • Within ninety (90) days of the Effective Date: Anthem shall provide to HHS a Statement of Work (SOW) for the Risk Analysis.  There will be 30 days turn around by HHS asking for changes to the SOW.  They will have a deadline for supplying an updated SOW and 30 days later a response by HHS.  This loop continues until HHS approves their Risk Analysis SOW.
    • Within two-hundred ten (210) days of HHS’ s approval of the Risk Analysis SOW Anthem will send HHS a Risk Analysis report.  It can be one that is underway but either way, HHS will have 30 days to review it and let them know what they think of what has been submitted.  Then, Anthem shall have thirty (30) days to revise the Risk Analysis and provide the revised Risk Analysis to HHS for review.  Again, this loop continues until it is approved by HHS.
    • Within one-hundred fifty ( 150) days Anthem must incorporate the results of the Risk Analysis into its existing process for implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level as required by the Security Rule and will provide such documentation to HHS upon request.
  • Within one-hundred fifty ( 150) days of the settlement, they will submit a report of their review of all of their policies and procedures identifying areas that need changes. There are some minimum requirements that must be addressed. HHS will let them know in 60 days what they think of the plan and add any other changes they want to be made to them.  Then, Anthem has forty-five (45) days to revise such policies and procedures and send them back to HHS for review.  Then, you get in another loop of review and update deadlines until HHS approves them.
    • If HHS adds amendments to the policies and procedures they have 90 days to implement those updates after the final approval.
    • All policies and procedures will be accessible to the whole workforce within 30 days of the adoption of the policies in procedures.
    • All policies and procedures will be available for new staff members within 30 days of employment.

There is also the fairly standard requirement that most people don’t even think about but, to me, they are very telling about the importance of sanctions and enforcement of policies and procedures.

Anthem must report to HHS in writing within sixty (60) days if any workforce member failed to comply with policies and procedures and an investigation determines there is a breach of PHI.  That means even breaches of single patients must be sent in within 60 days.  With these large environments, those things happen more often than we would like to think.

Also, they have to send in attestations and reports along the way.  The attestations required things like officers of the company attesting that implementation of updated policies and procedures is actually happening.  They also take it a step further and make the officer attest that they have actually reviewed the details of the report and confirmed that the information is accurate and truthful.

Maybe this one will bring along the rest of the industry that has been dragging their feet and not taking privacy and security seriously.  It certainly made a lot of headlines and quotes like how it is a “dire warning” to the industry as a whole.  There are so many companies out there that couldn’t imagine making an agreement to write a check for $16m and being good with it though.

I still believe these enforcement cases are the least of the worries for the industry that isn’t part of all the major enterprises like Anthem.  Statistically, they should just worry about being able to respond properly to an investigation.  There are thousands of those taking place every day.  There is even a backlog of them being worked by the regional offices.  Stay under their radar and provide good documentation when they ask for it.  You don’t have to be perfect you just have to show you are doing the best you can to do the right thing.

So that is our list of Anthem settlement lessons we learned so far.  As we read the news that comes out of this one there will likely be some more lessons learned out of this one huge settlement.