Anthem Inc. and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) have agreed to put (some) concerns about a major 2014-2015 cybersecurity attack on Anthem behind them.
Anthem — the Indianapolis-based operator of Blue Cross and Blue Shield plans in 14 states — and HHS OCR have agreed that Anthem will pay a $16 million “resolution amount” and implement a detailed corrective action plan.
If Anthem pays the resolution amount and meets the terms of the corrective action plan, then HHS OCR has agreed to release Anthem from legal actions HHS OCR might have against Anthem, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that are directly related to the 2014-2015 hacking incident.
A copy of the resolution agreement is here.
Anthem is not admitting that the agreement is an admission, concession or evidence of liability by Anthem, according to the agreement text.
HHS, meanwhile, says the agreement is “not a concession by HHS that Anthem is not in violation of the HIPAA rules and that Anthem is not liable for civil money penalties.”
Here are answers to four questions financial professionals might have about the resolution agreement.
1. What cyber attack is covered?
Anthem executives reported in early 2015, in a notice to HHS OCR, and in a letter to members, that they had discovered that hackers had, apparently, gained access to computers containing personal health information, or “protected health information” (PHI), for 78.8 million people.
Anthem executives said that they had reported the attack to the Federal Bureau of Investigation.
HHS OCR officials say they now believe that attack lasted from Dec. 2, 2014, to Jan. 27, 2015.
The resolution agreement applies to possible HIPAA violations related to the Dec. 2, 2014-Jan. 27, 2015, hacking, according to the text of the resolution agreement.
In the agreement, Anthem and HHS OCR describe the alleged HIPAA violations involved as “covered conduct.”
The parties list five HIPAA requirements that Anthem could have violated, in a section on “covered conduct”:
- The requirement for an entity covered by HIPAA data security requirements to conduct an accurate and thorough risk analysis.
- The requirement for a covered entity to review information system activity regularly.
- The requirement for a covered entity to identify and respond to security incidents leading to a breach.
- The requirement for a covered entity to grant access to electronic PHI only to people and software programs that have been granted access rights.
- The requirement for a covered entity to prevent unauthorized access to electronic PHI.
2. What does the new Anthem-HHS OCR resolution agreement exclude?
The new agreement excludes any HIPAA violations related to incidents other than the 2014-2015 cyber attack.