EXECUTIVE SUMMARY

Anthem has settled a data breach case for $115 million. It is one of the largest settlements ever and holds lessons for healthcare risk managers.

• The breach was traced to one employee clicking on a link.

• Investigators cited insufficient monitoring of key logs.

• The case illustrates the importance of a robust risk analysis/risk management program.


Anthem’s recent $115 million settlement — one of the largest ever in a consumer data breach — shows how costly a breach can be for a healthcare organization. Risk managers should remember that even a much smaller breach could be financially devastating.

A California federal district judge approved the settlement resolving a 2015 data breach at Anthem that exposed the data of 78 million members. The settlement will be divided among 19.1 million plaintiffs in the class-action lawsuit. Each can claim up to $10,000 to cover out-of-pocket expenses related to the breach and can receive free credit monitoring services beyond what Anthem has already provided. (The settlement agreement is available online at: https://bit.ly/2jx3ehy.)

While the numbers and costs associated with this breach are staggering, the issues at the root of it are quite simple, says Dianne J. Bourque, JD, an attorney with the Mintz law firm in Boston.

“Someone clicked on a phishing email, intruders gained access to Anthem’s PHI [protected health information], and the ensuing enforcement action revealed that Anthem has no enterprisewide risk analysis,” Bourque says. “We see this fact pattern almost daily. The only thing different about the Anthem case is the large number of individuals affected.”

“The Anthem breach should stand as a reminder to healthcare risk managers that this could easily happen to their organizations if they don’t pay attention to compliance fundamentals, especially a comprehensive security risk analysis, ongoing employee training — both formal and informal — and information system activity review,” she added.

The Anthem breach should strike fear in healthcare leaders, says Mark Bower, general manager and chief revenue officer with Egress Software in Boston.

“This is a shot across the bow for every CEO, CIO, and CFO,” Bower says. “Not every organization can absorb settlements of this size, not to mention the ongoing management and escalation costs, punitive fines from regulations like HIPAA and GDPR [General Data Protection Regulation], and revenue losses from customer churn that are also associated with data breaches.”

The class-action suit shows that consumers possess a healthy appetite for compensation following a breach of their data, Bower says. Organizations that handle PHI, especially highly sensitive patient data, should use this to gauge what is acceptable financial risk when securing data, and invest in technology and training accordingly, he says.

A Single Click Causes Chaos

“There’s no compromise when it comes to data security. Organizations must always be on the front foot when protecting sensitive data, ensuring their policies and technologies are up-to-date and can mitigate emerging risks,” Bower says. “This attack stemmed from a single phishing email that one unsuspecting employee opened, enabling a hacker to gain access to nearly 79 million data records. The scale of this is incredible, and even the smallest perceived risk must be dealt with.”

Often, people are the point of weakness, Bower says. Recent years have brought radical changes in the way employees work and consume IT services, including the rise of mobile and remote working, and cloud computing.

“Users have become the new security perimeter, and the surface area for risk has increased exponentially as a result. Organizations now need to do more to put guiderails in place to enable employees to work both efficiently and securely,” Bower says. “Phishing emails must be intercepted whenever possible and the best security put in place to mitigate a breach if they do end up clicking on a malicious link.”

Risk managers need to honestly evaluate whether their organizations can afford to be the next Anthem, Bower says.

“Almost every employee will be sent a phishing email at some point or other, and organizations need to ensure their data is protected against this risk. Poor security and a failure to protect patient data carries real, financial consequences that impact the company and shareholders,” he says. “Cybersecurity must have a place at the table in the broader discussion of risk tolerance.”

Logging and log monitoring were highlighted in this case, notes Doug Kanney, principal and the practice lead for HITRUST and HIPAA with Schellman & Company, an independent IT audit and certification firm in Tampa, FL.

“The investigations found that the monitoring of key logs was not taking place that would have helped identify the malicious activity much sooner. Strong password controls were also not found to be in place to adequately protect this highly valuable ePHI,” Kanney explains.

“It was noted in the OCR [Office for Civil Rights] Resolution Agreement with Anthem that strong password controls should be put in place, and it specifically calls out password age,” he continues. “The risk analysis was not enterprisewide, which I believe played a large part in the enforcement action size. A risk analysis was performed, but it was too narrow and did not account for all locations ePHI was residing.”

For risk managers, Kanney says these enforcement actions highlight what OCR has consistently tried to demonstrate during its past enforcement actions: The risk analysis/risk management process is the cornerstone of a sufficient HIPAA compliance program.

More than 90% of HIPAA enforcement actions to date by OCR have pointed to an insufficient risk analysis/risk management program, so this is not new, Kanney says.

“The flow of ePHI in your environment should be mapped to ensure that all systems that may contain ePHI are considered as part of the risk analysis. If it is unclear what systems might contain ePHI, all systems should be considered in scope for risk analysis and security controls,” he says.

“It is important to have a process to perform a risk analysis on a recurring basis, typically at least annually. A process also should be in place to perform ongoing risk analysis if major changes occur in business or if new types of technology are introduced that have a significant impact on the environment.”

SOURCES

• Dianne J. Bourque, JD, Mintz, Boston. Phone: (617) 348-1614. Email: dbourque@mintz.com.

• Mark Bower, General Manager and Chief Revenue Officer, Egress Software in Boston. Phone: (800) 732-0746.

• Doug Kanney, Principal and Practice Lead for HITRUST and HIPAA, Schellman & Company, Tampa, FL. Phone: (866) 254-0000.