While the insurer faces between $100 to $200 million in costs to fix what hackers have wrought, it won't necessarily face civil penalties for HIPAA violations, says a healthcare data security expert.
Anthem Inc. faces hefty costs to repair the massive security breach that may have compromised the personal records of 80 million people. The extent of that liability could depend upon what safeguards the health plan had in place, and how it responds to the concerns of customers and federal regulators, industry observers say.
|
Chris Apgar, |
Given that this is the largest breach of healthcare sector data in U.S. history, Anthem potentially could face record-busting fines for violating the Health Insurance Portability and Accountability Act.
Anthem Data Breach a Potential Game Changer for Healthcare
Or not, says Chris Apgar, CEO of Apgar & Associates, Portland, OR-based, healthcare data security consultants.
"It is understood that there is no such thing as risk-free security," Apgar says. "It doesn't matter how good you are. Breaches are inevitable. Even the federal government has been hacked. It is just a matter of what you should do before the incident to make sure you are doing the best you could to reasonably make sure that something like this would not happen. That is what it is going to hinge on."
With respect to potential HIPAA violations, Apgar says the Department of Health and Human Services' Office of Civil Rights will ask Anthem to explain the breach in detail.
"They'll be asking for a copy of their risk analysis, all of your security policies and procedures, describe the incident, what you did to mitigate, what are your efforts to prevent this from happening again," Apgar says. "If you can answer those questions, it's a matter of being able to demonstrate that they did the right thing."
"If Anthem can document that they have done due diligence and have the appropriate safeguards in place and this was just a sophisticated hacker that got through their defenses, they will be OK from a compliance side of things. They won't necessarily face civil penalties."
|
Chris Keegan |
That doesn't mean that Anthem won't face substantial costs to fix the problem, and a barrage of civil lawsuits from angry customers and eager class-action lawyers, says Chris Keegan, Cyber and Technology Practice Leader, at Beecher Carlson, an Atlanta-based law firm.
"Anthem is going to find itself liable," Keegan says. "There is going to be some sort of duty of care that would be imposed on Anthem and they will say 'we gave you our information. It is your obligation to protect it and you did not.' The implication is that there is some negligence on their part, at least enough for class-action lawyers to start to make claims against it."
Even if the fines for HIPAA violations are relatively mild, Keegan says Anthem is already looking at spending $100 million or more just to notify consumers and pay for credit monitoring.
"That's before you even get into the litigation and defense of these class actions and any potential damages. Based on my experience, this is probably going to be in the $100 million to $500 million range," Keegan says.
"I am sure those lawyers are working as hard as they can. I haven't seen a lawsuit filed yet, but in other situations like this—[such as] Community Health Systems— a lawsuit was filed two days after the breach was uncovered. I am expecting to see lawsuits against Anthem pop up at any hour now."
Even when demonstrating due diligence, Keeger says, no business can credibly claim ignorance about the threat of hackers.
"Just look back in 2014," he says. "We had the biggest retail breach with Home Depot. We had the biggest financial institutions breach with Chase. Look at Sony. This is another breach with healthcare records. Every year we are setting new records in the numbers of data that are being breached in any industry."
So far, Keegan says, Anthem appears to be making all the right moves by getting out in front of the story.
"They went public with it much more quickly than a lot of other companies [have]," he says. "They have already offered credit monitoring, which will allow people to find out as soon as somebody tries to open an account in [their] name. They will get that information as soon as they can, and put a stop to it. There is another product called identity theft insurance that can be offered by Anthem, though I haven't seen them offer it yet."
Apgar says that if Anthem did not encrypt all of its consumer data, it likely was due to expediency more than negligence.
"If I have patient information on my laptop or my tablet I darn well should encrypt it because that is a huge vulnerability if it gets lost or stolen," he says. "On the other hand, if I have servers in a secure data center, the downside of encrypting everything all the time is that it slows things down and gets in the way of doing business."
"You balance your risk," he says. "What you are looking at from an encryption standpoint is what security geeks call 'uncompensated controls.' If they have compensating controls in a hardened data center that has all the bells and whistles, then there is not a lot of sense in encrypting."
Apgar says he doesn't expect Anthem to publicly divulge any "trade secrets" in the coming weeks about the status of their investigation, "but they should take proactive steps through the media saying we are doing this."
"They're also watching to see if something else happens," Apgar says. "A good example is the state of Utah where they had a breach of Medicaid information. The breach was so big, and a couple weeks later it was bigger and bigger, and it just grew. It's just watching it to make sure that doesn't happen. If it does, that is an indicator that they didn't have their hands around it in the first place. Just watch to make sure they are above board and that something new doesn't crop up."
John Commins is the news editor for HealthLeaders.