Two years after Anthem Inc., the largest health insurer in the country, announced a breach of personal health information (PHI) affecting nearly 80 million of its beneficiaries, the attorneys for those breached have come to an agreement with the insurer. The settlement is a good reminder that health plans can no longer assume the status quo will work for protecting patient records, attorneys and cybersecurity consultants say. Neither should they become apathetic because of the difficulty of cybersecurity in today’s rapidly changing technology world.
The 54-page, $115 million settlement agreement is pending Aug. 17 preliminary approval by Northern District of California Judge Lucy Koh. More than 100 lawsuits were filed against Anthem across the country over the past two years, and the cases were consolidated for the settlement, according to Andrew Friedman, a partner of Cohen Milstein Sellers & Toll PLLC and co-lead for the plaintiffs’ counsel.
The takeaway is simple, Friedman tells AIS Health. “I think people more and more will look to those companies that they buy products from to protect them from this kind of thing happening,” he said. “It’s no longer business as usual.”
Some $15 million of the $115 million settlement fund will be applied to relieve plaintiffs of the costs incurred by the breaches, according to Friedman, who says the plaintiffs’ counsel are satisfied this amount will suffice. In addition, Anthem will be required to meet certain undisclosed IT security standards and will provide the breached customers with two years of credit monitoring.
Anthem has already been providing credit monitoring since the breach, so if the settlement is approved, the beneficiaries with breached records will receive a total of four years of credit monitoring.
Settlement Would Audit Anthem’s IT
Friedman says the settlement calls for tangible proof that Anthem has upped its game and is maintaining top-level IT security for the next three years. The technical requirements for Anthem under the agreement were drawn up with the help of IT experts, he says, and they “are filed under seal,” intentionally, so as to prevent potential hackers from knowing its security strategies.
Independent consultants will annually conduct an IT risk assessment of Anthem for the next three years and report back to the plaintiffs’ counsel, Friedman says. The reason the agreement doesn’t include requirements beyond three years is that technology changes too quickly from year to year and the plaintiffs’ counsel wanted the requirements to be specific and trackable. They also are assuming that after three years, Anthem will be incentivized to keep their security strategy at a high level.
According to the Oct. 19, 2015, complaint, Anthem failed to limit access to PHI to those on a “need-to-know” basis and “failed to allocate the resources necessary to maintaining the confidentiality of this information,” among other things.
Geraldine Rodriguez, a spokesperson for the insurer, says Anthem believes the proposed settlement will “completely resolve” the breach litigation.
The insurer “is not admitting any wrongdoing or that any individuals were harmed as a result of the cyber attack,” Rodriguez says. “There is no evidence that any data impacted by the cyber attack has ever been sold or used to commit fraud,” according to Rodriguez.
But that’s not what the Anthem members who were breached say. A Feb. 24 complaint reports they “have been repeatedly harmed.” The complaint lists fake tax returns filed, bank accounts drained and credit cards or fraudulent loans taken out in their names. “Affected individuals must worry about being victimized throughout the rest of their lives,” the complaint says.
Cybersecurity Is Tough for Health Care
Robert Lord, co-founder and CEO of Protenus, a health data security platform company, says cybersecurity is especially hard in the health care industry. “It’s easy to blame health care, but we have a level of complexity to manage on that front,” Lord says. “We also require a level of openness for treating patients that is incompatible with a heavily locked-down framework.”
Health plans are particularly vulnerable targets because they have large amounts of data and their records include not only information from medical records but also claims data. “When you have someone’s medical history, you really almost own that person completely,” Lord says. “It’s quite a terrifying scenario.”
Today’s cybersecurity threats require the use of artificial intelligence and machine learning to help human IT teams find the risks. He advises employing advanced methods simultaneously to protect records.
With the advanced level of threats out there, IT teams are challenged at most health plans to provide the security needed under constrained resources, Lord says. He urges boards of directors to focus on upgrading IT training. Without this, the job is becoming “nearly impossible to do right.”
Read the entire proposed settlement agreement at http://bit.ly/2uj0HIl.