Unless you have been hiding from the television, internet and/or smoke signals, you have heard something about the recent data breach at Anthem. On February 5, 2015, initial reports surfaced indicating a massive consumer data breach. The first few articles placed the number of affected individuals just north of 40 million people; more recent reports are doubling that number.

So far, Anthem has identified the following information as compromised: Name, Date of Birth, Social Security Number, Medical ID, Home Addresses, E-mail Addresses, Employment Information and Income Data. In a remarkably quick response, Anthem posted this letter to its members (past and present) at anthemfacts.com:

“To Our Members, Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised…”

For those affected directly by the breach, many received personal notices from Anthem and/or their employer. Here is one of those letters:

“As you may have heard in the news, Anthem, was recently the target of a cyber attack. While we don’t yet know if our employees’ personal information was involved, we do know that the attackers obtained information from as many as 80 million of Anthem’s current and former members, including: Names

Birthdays

Medical IDs/Social Security numbers

Street addresses

Email addresses

Employment information, including income data According to Anthem there is no evidence, at this time, that credit card or medical information was compromised. If your information was accessed, Anthem will individually notify you via mail or email (if possible).

Anthem will provide credit monitoring and identity protection services free of charge.

You can access information as it becomes available on this website: www.AnthemFacts.com or via this toll-free number: 1-877-263-7995 I’m passing along information from the Better Business Bureau web site that addresses data breach situations. The BBB offer some great suggestions and advice – many of these items were discussed during the seminar today. http://www.bbb.org/council/news-events/consumer-tips/2015/02/bbb-advice-on-what-to-do-after-a-data-breach-compromises-your-identity/ “

Somewhat amazingly, not only was client information exposed, but Anthem employee data was stolen as well. It begs the question, why was client and employee data on the same system, or even on mutually accessible systems? Even further, why weren’t these databases encrypted? Encryption would have done wonders for Anthem in this breach. While encryption is not perfect, it certainly ensures that data is, at a very minimum, not presented in an easily accessible format.

Even more confounding than the facts leading up to the breach is the misinformation being pushed out by the media. Several articles have made statements indicating that the leaked information is not PHI. The media logic seems to be that since the data itself is not medical information, it is not PHI. This is incorrect.

According to HHS:

“Protected health information is information, including demographic information, which relates to:

the individual’s past, present, or future physical or mental health or condition,

the provision of health care to the individual, or

the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

The key phrase in the first sentence is “demographic information.” Contrary to common opinion (including the media’s), demographic information held by a covered entity is PHI. This is further supported by the third bullet point above, which states: “Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

Despite the media misconceptions, the data breached by Anthem is PHI and subject to the fines and sanctions imposed by HIPAA. Further, the protections of HIPAA apply to PHI held by covered entities and their business associates. HIPAA defines a covered entity as 1) a health care provider that conducts certain standard administrative and financial transactions in electronic form; 2) a health care clearinghouse; or 3) a health plan.

Under HIPAA, fines range from $100 to $50,000 per violation. The level of the fine depends on whether the entity knew of the security gap, acted on the gap, or even whether the decision to not address the gap was a willful decision. There are fine caps for each statutory violation. Assuming OCR finds that 1) Anthem failed to safeguard the data and 2) there was an impermissible use or disclosure, the statutory fines would cap out at $1.5million for each violation, for a total of $3million.

While, this fine represents the maximum amount that could be levied as a statutory penalty, it does not include costs of credit monitoring and notification. Generally, these costs account for $100 per affected person, for a total of $8 billion ($100 per person affected). This means that even conservatively, the potential HIPAA related fines and administrative costs for Anthem could exceed $8 billion. Add to this, the class action law suits for negligence, state mandated penalties/fines, and Anthem is staring down the barrel of a very serious problem.

Let’s take a minute to appreciate the volume of those potential fines. Anthem brought in $74 billion last year in revenue. Of that amount, $69 billion went to overhead, leaving an annual profit of roughly $5 billion for 2014. This means that even assuming a conservative estimate, the administrative costs and fines could far surpass the profit and/or revenue of Anthem. It also does not take into account the investor cost, client flight, or credibility loss. This is shaping up to not only be the single largest HIPAA breach on record, but also a gargantuan financial cost. It also bears mentioning that this is not the first large scale HIPAA breach by Anthem. In 2009-2010, over 230,000 individuals had their PHI compromised due to a known security flaw that was not patched. The 2009 breach resulted in a $1.7 million fine.

Takeaways: While we are still in the early days of this breach, the early information looks startlingly poor. Anthem, one of the top three healthcare providers in the country, appears to have failed yet again at ensuring the security of its data. Given the severity of the consequences and their prior breach, it’s a wonder they are here yet again. Prior planning coupled with up to date security measures are only the beginning of securing electronic PHI. Companies must work to utilize data security philosophies such as data silos, device hardening, and robust password management if they want to prevent the types of breaches we hear about in the news.

/s/ HH @legalevity