How to Avoid a $16 million Settlement with HHS
You likely heard about the Anthem breach back in 2015. Given that 79 million individuals were impacted, it is likely that you or someone in your family was impacted by the breach. Well it took HHS several years, but they just announced the settlement with Anthem this week. Anthem has agreed to pay HHS $16 million and take substantial corrective action to settle the HIPAA violations that resulted in the largest health data breach to ever occur in the US. This $16 million dollar settlement is on top of the $115 million settlement Anthem agreed to in a federal class action brought against it for the same breach. These settlement amounts against Anthem are some of the largest ever seen for a data breach and the HHS settlement is almost three times the next largest settlement entered into with HHS for a violation of HIPAA.
This settlement should be a wakeup call for self-funded health plan sponsors who have not given enough attention to HIPAA. While many employers may think, but we are a small company and it won’t happen to us, this breach could have happened to almost any company. While you may not have PHI of 79 million individuals, even a single violation of HIPAA can lead to the $1,711,533 cap per violation very quickly (as HHS has the authority to penalize a covered entity up to $57,051 per violation per individual impacted). This breach all began with employees receiving phishing emails. At least one Anthem employee responded to the phishing email, which opened the door to the cyber-attackers obtaining personally identifiable information of approximately 79 million individuals. In addition to this impermissible disclosure of ePHI, HHS also found that Anthem failed to conduct an enterprise-wide risk analysis, that it had insufficient procedures for responding to suspected security incidents and failed to implement adequate minimum access controls.
While often times employers grumble at the cost of doing a risk analysis, updating their HIPAA policies and procedures, or doing additional HIPAA training, the cost of not doing any of those things could lead to penalties that would put many companies out of business. Spending several thousand dollars today could prevent hundreds of thousands or even millions of dollars of penalties tomorrow. It is imperative in today’s environment to constantly update your IT systems and train your employees on the latest cyber-attacks. Even if you feel that have a false sense of security that your company is protected enough or it won’t happen to you, you can still be investigated if your business associate has a breach as your name will be reported to HHS as part of that breach. Thousands of companies names were given to HHS as a result of this Anthem breach because Anthem was serving as the ASO for those companies’ self-funded plans.
While the breach of a business associate may not be any fault of your company, you could still be penalized if HHS finds holes in your security. If you haven’t paid much attention to your plan’s HIPAA compliance lately, we hope this settlement makes you dust off your policies and consider whether additional trainings or procedures are necessary to help protect your company and your participants’ data. If you need assistance, we have a team of HIPAA experts that can assist. Please reach out to any Graydon attorney and they can put you in touch with the right attorney.