Anthem Inc. and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) have agreed to put (some) concerns about a major 2014-2015 cybersecurity attack on Anthem behind them.
Anthem — the Indianapolis-based operator of Blue Cross and Blue Shield plans in 14 states — and HHS OCR have agreed that Anthem will pay a $16 million “resolution amount” and implement a detailed corrective action plan.
If Anthem pays the resolution amount and meets the terms of the corrective action plan, then HHS OCR has agreed to release Anthem from legal actions HHS OCR might have against Anthem, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that are directly related to the 2014-2015 hacking incident.
A copy of the resolution agreement is here.
Anthem is not admitting that the agreement is an admission, concession or evidence of liability by Anthem, according to the agreement text.
HHS, meanwhile, says the agreement is “not a concession by HHS that Anthem is not in violation of the HIPAA rules and that Anthem is not liable for civil money penalties.”
Here are answers to four questions financial professionals might have about the resolution agreement.
1. What cyber attack is covered?
Anthem executives reported in early 2015, in a notice to HHS OCR, and in a letter to members, that they had discovered that hackers had, apparently, gained access to computers containing personal health information, or “protected health information” (PHI), for 78.8 million people.
Anthem executives said that they had reported the attack to the Federal Bureau of Investigation.
HHS OCR officials say they now believe that attack lasted from Dec. 2, 2014, to Jan. 27, 2015.
The resolution agreement applies to possible HIPAA violations related to the Dec. 2, 2014-Jan. 27, 2015, hacking, according to the text of the resolution agreement.
In the agreement, Anthem and HHS OCR describe the alleged HIPAA violations involved as “covered conduct.”
The parties list five HIPAA requirements that Anthem could have violated, in a section on “covered conduct”:
- The requirement for an entity covered by HIPAA data security requirements to conduct an accurate and thorough risk analysis.
- The requirement for a covered entity to review information system activity regularly.
- The requirement for a covered entity to identify and respond to security incidents leading to a breach.
- The requirement for a covered entity to grant access to electronic PHI only to people and software programs that have been granted access rights.
- The requirement for a covered entity to prevent unauthorized access to electronic PHI.
2. What does the new Anthem-HHS OCR resolution agreement exclude?
The new agreement excludes any HIPAA violations related to incidents other than the 2014-2015 cyber attack.
For the 2014-2015 attack, the agreement excludes ”actions that may be brought under Section 1177 of the Social Security Act.”
Section 1177 lets the government impose a fine of up to $250,000, and a prison sentence of up to 10 years, on a person who knowingly discloses PHI to another person for purposes of commercial advantage, personal gain or malicious harm.
3. What as the cyber attack on Anthem like?
HHS OCR officials say that, on Jan. 29, 2015, Anthem discovered that attackers had gained access to the company’s enterprise information technology system through “an undetected continuous and targeted cyber attack for the apparent purpose of extracting data.”
The kind of attack is known as an “advanced persistent threat attack,” officials say.
The attackers were able to get in because at least one employee opened, and responded, to a malicious email, known as a “spear phishing email,” officials say.
(Related: The Top 10 Phishing Lines Luring Employees)
4. Why does a health insurance company HIPAA case matter to agents and brokers?
Agents, brokers and other financial advisors who sell major medical insurance coverage, or other products that involve health-related benefits or health-based underwriting, may end up collecting what the federal government classifies as “protected health information” (PHI).
Financial professionals who end up holding PHI may be treated, under HIPAA, as “business associates” of the health insurers, hospitals and other “covered entities” that are directly subject to the HIPAA requirements. Business associates may end up facing many of the same kinds of requirements and restrictions that covered entities face.
Or, insurers, financial professionals and other players in the system may go to great lengths to keep financial professionals from getting saddled with PHI. Financial professionals who want to avoid getting PHI need to know what PHI is and how to avoid touching it.
HHS OCR has posted an open-access discussion of the rules that apply to HIPAA business associates here.
The National Association of Health Underwriters posted a video presentation on the topic, which is available only to NAHU members, here.
— Read Anthem Hack Exposes Millions, on ThinkAdvisor.